tshark - Issues with IP Defragmentation - SIP

[Marv <marv () reesmarine com>]

Hi

I have a problem reading pcap files that have fragmented packets with
tshark. My expectaion is tshark will re-assemble the fragmented IP packets
before it passes them to the higher layer dissectors. But this doesnt
appear to happen. If I open the same file with the Wireshark GUI
application it does this fine.

Should I be able to do this with tshark on the command line? I have tried
various tshark versions and get the same result. 1.4x, 1.6.7 and 1.8.2. I
have also tried overriding the default sip.defragment option.

As an example I am searching pcap files (dumped with tcpump) for SIP calls.
But the SIP dissector doesnt recognise the packets because they are still
fragmented. So if I look at the first 10 packets in the file is see:

$ tshark -r 218423_1.cap00 -c 10 1 0.000000 10.0.226.129 -> 10.0.226.133
SIP 1251 Request: OPTIONS sip:10.0.226.133;transport=tcp 2 0.000835
10.0.226.133 -> 10.0.226.129 SIP 1337 Status: 200 OK 3 5.091195
10.0.226.133 -> 10.0.226.129 SIP/SDP 1025 Request: INVITE
sip:02036750000@10.0.226.129;user=phone, with session description 4
5.094097 10.0.226.129 -> 10.0.226.133 SIP 359 Status: 100 Trying 5 5.122237
10.0.226.129 -> 10.0.226.133 IPv4 132 Fragmented IP protocol (proto=UDP 17,
off=1480, ID=d618) 6 5.169126 10.0.226.129 -> 10.0.226.133 IPv4 825
Fragmented IP protocol (proto=UDP 17, off=1480, ID=d619) 7 5.171658
10.0.226.133 -> 10.0.226.129 SIP 840 Status: 100 Trying 8 5.176699
10.0.226.129 -> 10.0.226.134 RTP 218 PT=ITU-T G.711 PCMA, SSRC=0x33B61227,
Seq=1, Time=0 9 5.177610 10.0.226.129 -> 10.0.226.134 RTCP 134 Receiver
Report Source description
10 5.196590 10.0.226.129 -> 10.0.226.134 RTP 218 PT=ITU-T G.711 PCMA,
SSRC=0x33B61227, Seq=2, Time=160

As you can see #5 and 6 show as fragmented. If I try to pass this through a
sip filter it wont find those packets so it doesnt appear to be
re-assembling them in the same way wireshark application does.

$ tshark -r 218423_1.cap00 sip -c 10 1 0.000000 10.0.226.129 ->
10.0.226.133 SIP 1251 Request: OPTIONS sip:10.0.226.133;transport=tcp 2
0.000835 10.0.226.133 -> 10.0.226.129 SIP 1337 Status: 200 OK 3 5.091195
10.0.226.133 -> 10.0.226.129 SIP/SDP 1025 Request: INVITE
sip:02036750000@10.0.226.129;user=phone, with session description 4
5.094097 10.0.226.129 -> 10.0.226.133 SIP 359 Status: 100 Trying 7 5.171658
10.0.226.133 -> 10.0.226.129 SIP 840 Status: 100 Trying 12 5.216181
10.0.226.129 -> 10.0.226.133 SIP 1026 Request: PRACK
sip:07867180000@10.0.226.133:5060 14 5.219458 10.0.226.133 -> 10.0.226.129
SIP 1385 Status: 200 OK 483 8.250769 10.0.226.133 -> 10.0.226.129 SIP 1498
Status: 180 Ringing 487 8.267270 10.0.226.129 -> 10.0.226.133 SIP 1028
Request: PRACK sip:07867180000@10.0.226.133:5060 488 8.270899 10.0.226.133
-> 10.0.226.129 SIP 1387 Status: 200 OK

As can be seen packets 5 and 6 (which in this I know form an INVITE) dont
get shown. I have also tried the -o ip.defragment:TRUE and also writing the
output to file but it still doesnt change anything.

For reference I am capturing them with tcpdump using the following BPF: (
vlan and (port 5060 or ip[6:2] & 0x1fff != 0 ))

Any Advice would be much appreciated
Cheers
Martin

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe