This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Continuation” in info column of SIP traffic

0

In collected traces, we are seeing that Continuation message in sip protocol.There are continuation line and continuation protocol which are empty in this sip message. According to the wireshark logs,soft client VOIP program is sending this,however we are not facing any sip message which has contination name. when we investigate this soft clients logs. Can you explain why Wireshark is showing a message like that.

In addition network elements are using TCP protocol for sip messaging.

Regards,

Gizem Arslan.

asked 19 Nov '13, 05:44

gizem%20arslan's gravatar image

gizem arslan
1112
accept rate: 0%

edited 14 Jan '14, 09:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

I am having similar issue with SIP TCP packets showing up as "Continuation". I am on the latest build of Wireshark. About shows the following: Version 1.10.5 (SVN Rev 54262 from /trunk-1.10)

(14 Jan '14, 08:14) buddhaholic420

according to packet-sip.c, that's a sign for a SIP 'command' that's unknown to wireshark.

Hint: parts of the code removed!!

    switch (line_type) {
case REQUEST_LINE:
            ....
    descr = is_known_request ? "Request" : "Unknown request";
    col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
                 descr,
                 tvb_format_text(tvb, offset, linelen - SIP2_HDR_LEN - 1));
    break;

case STATUS_LINE:
descr = "Status";
col_add_fstr(pinfo->cinfo, COL_INFO, "Status: %s",
tvb_format_text(tvb, offset + SIP2_HDR_LEN + 1, linelen - SIP2_HDR_LEN - 1));


case OTHER_LINE:
default: /* Squelch compiler complaints */
<b>descr = "Continuation";</b>
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
break;
}

If you can post a sample capture we can have a look and find the explanation for it in the data (like wrong number of whitespace, etc.)

(14 Jan ‘14, 09:06) Kurt Knochner ♦

Or (by inspecting the code above) a SIP ‘command’ of “OTHER_LINE” as both that and the default (i.e. an unknown ‘command’) will add the “Continuation” string.

(14 Jan ‘14, 10:26) grahamb ♦

2 Answers:

2

It's perfectly normal, assuming you're capturing live SIP data - when you start Wireshark capturing, and there's SIP/TCP traffic already going back/forth, then some of the initial packets Wireshark sees will be the ending/trailing TCP segments of SIP messages. Wireshark simply doesn't have the whole SIP message in such cases, but instead only some ending portion of them. The SIP parser can't reasonably decode such messages, so it just calls them "continuation" until it finds a start line later.

Since TCP defines no message boundary/framing for its payload application, the SIP parser in Wireshark has to assume that anything not matching a SIP message start line, in a new TCP stream it hasn't seen before, is a "continuation" of a previous SIP message that wireshark didn't capture the beginning of. So it calls it "continuation", until it finds the beginning of a new SIP message, and from then on in that TCP stream (ie, for the same 5-tuple) it shouldn't happen again, and instead wireshark can parse the rest of the SIP messages correctly. (i.e., the TCP segments get reassembled into a whole message, because the SIP parser can figure out what a whole message is)

If you see this in a wireshark capture where you know you've got all the packets - for example if you generated those packets using a tool or SIP device only after starting wireshark, then there's something wrong if you see "continuation".

answered 31 Jan '14, 21:28

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

0

"continuation" is probably because Wireshark fails to reasemble the messages. What version of Wireshark are you using? It might be a bug in Wireshark or something in the message makes Wireshark fail to recognize the segments.

answered 19 Nov '13, 11:24

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%