Re: tshark - Issues with IP Defragmentation - SIP

[Christopher Maynard <Christopher.Maynard () gtech com>]

Marv <marv@...> writes:

> I have a problem reading pcap files 
> that have fragmented packets with tshark. My expectaion is tshark will 
> re-assemble the fragmented IP packets before it passes them to the 
> higher layer dissectors. But this doesnt appear to happen. If I open the
>  same file with the Wireshark GUI application it does this fine.
> Should I be able to do this with tshark on the command line? I have 
> tried various tshark versions and get the same result. 1.4x, 1.6.7 and 
> 1.8.2. I have also tried overriding the default sip.defragment option.

You can try using the "-2" option so that tshark performs a 2-pass analysis. 
But be aware that there appears to be a bug with that option that you might run
into: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8101

NOTE: "-2" is for Wireshark 1.8 or later.  Prior to that, it was the
undocumented "-P" option.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe