I'm trying to capture a SIP-I call using wireshark, i get all the messages except INVITE. Do you know why the INVITE is not captured? Is is due to MTU issue or something. We can see INVITE properly when we use pure SIP, issue happens to SIP-I INVITE only. Any help to sort this issue is highly appreciated. This question is marked "community wiki". asked 06 Aug '13, 23:32 Ravindu |
One Answer:
Well it could be a bug in Wireshark or the SIP header isn't formed according to the RFC(s) in witch case the sending application needs to be fixed. You could open up a bug report and let us have a look at the trace to try to determine which case it is or have a look at the code in packet-sip.c answered 07 Aug '13, 21:20 Anders ♦ I'm having the same issue.Regarding the trace required, How can I get the trace if I cant capture it? (23 Oct '13, 12:07) AshenC Well the presumtion is that the message is in the trace as UDP or TCP but for some reason Wireshark isn't interpreating it as SIP. With a trace we could perhaps determine if that's the case. (23 Oct '13, 13:23) Anders ♦ Could you upload the capture file and post the link? http://www.cloudshark.org/ (24 Oct '13, 18:04) Quadratic Just wondering if there was a resolution to this problem, I'm having the same problem with no sip invites, however my colleague's laptop seems to be fine. The only only difference is my laptop is 64bit win7 and his is 32bit win7. (21 Nov '13, 03:06) GTE01 can you provide a capture file? The problem of @Ravindu was, that there were packets missing in the provided capture file. (21 Nov '13, 06:05) Kurt Knochner ♦ |
Have you checked that the problem isn't that Wireshark fails to recognise the message as SIP?
Hello Anders, Thanks for your comment & you are right. Seems wireshark can't identify it as SIP. Any idea how this can be solved?
Hello Anders, You are correct, INVITE is displayed until the IPV4 layer & seems Wireshark can't identify it after that. I have uploaded a trace in the below link. Appreciate your help.
http://www.cloudshark.org/captures/82506ab125bd
It's a packet fragment (observe the fragment offset field in the inner IP header). Also the other fragment isn't in the trace file, explaining why it's not decoding as an IAM/INVITE.
Are you creating the capture file with an application-level display filter, such as "sip", or are you saving based on port number, IP, etc.? I'm wondering if the missing packet might have got lost due to Wireshark only displaying the last fragment as the actual SIP message, where the first packet wasn't caught in the display filter to be saved.