Wireshark mailing list archives
Re: tshark - Issues with IP Defragmentation - SIP
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Fri, 8 Feb 2013 17:37:41 +0000 (UTC)
Marv <marv@...> writes:
I have a problem reading pcap files that have fragmented packets with tshark. My expectaion is tshark will re-assemble the fragmented IP packets before it passes them to the higher layer dissectors. But this doesnt appear to happen. If I open the same file with the Wireshark GUI application it does this fine. Should I be able to do this with tshark on the command line? I have tried various tshark versions and get the same result. 1.4x, 1.6.7 and 1.8.2. I have also tried overriding the default sip.defragment option.
You can try using the "-2" option so that tshark performs a 2-pass analysis. But be aware that there appears to be a bug with that option that you might run into: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8101 NOTE: "-2" is for Wireshark 1.8 or later. Prior to that, it was the undocumented "-P" option. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark - Issues with IP Defragmentation - SIP Marv (Feb 08)
- Re: tshark - Issues with IP Defragmentation - SIP Christopher Maynard (Feb 08)