This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SCTP: “Protocols in frame” problem

I am analyzing diameter over sctp packets. There are also vendor specific AVPs included which I have added to the diameter dictionary.
My problem is that I get a different analysis result on two different computers. One is running Windows 8 and the other is running Windows 7, but this might not be relevant. On both computers I have installed "Version 1.10.5 (SVN Rev 54262 from /trunk-1.10)". And to avoid any further differences I have copied the diameter subdirectory contaning the dictionaries from one computer to the other.

But then I still get a different result on both computers. The reason are the detected protocols in frame.

On one computer (Windows 8) I get the expected result:
[Protocols in frame: eth:vlan:vlan:ip:sctp]
The packet (2) is identified as "SCTP SACK DATA (Message Fragment)"
The next packet (3) then shows the Diameter packet fully eassembled with all vendor specific AVPs.

On the other computer (Windows 7) I get the result:
[Protocols in frame: eth:vlan:vlan:ip:sctp:diameter:diameter:diameter:diameter.3gpp:diameter:diameter.3gpp:xml]
The packet (2) is identified as "Diameter SACK cmd=..."
The next packet (3) cannot be reassembled [Unreassembled packet: Diameter]

What might be wrong here? If necessary I can add the 4 packets around the problem in pcap-fomat.

sctp protocols_in_frame

asked 10 Feb '14, 22:18

efranz
21●3●3●6
accept rate: 0%

So if you read the same capture file with the same version of Wireshark on a Windows 7 machine and a Windows 8 machine, you get different results?

What happens if you make sure that the preference settings for the IP, SCTP and Diameter protocols on the Windows 8 machine are the same as they are on the Windows 7 machine (i.e., look at the settings on the Windows 7 machine, and change the settings on the Windows 8 machine to match them)?

(11 Feb '14, 00:53) Guy Harris ♦♦

Yes, that is the same capture file and the same version of Wireshark (in both cases the 64-bit version).

Regarding the preference settings for IP, SCTP and Diameter protocol I assume these are the same on both machines, because I did not modify anything afaik. But I will check it in the evening and answer.
(The Windows 8 machine is my private notebook and the Windows 7 machine is the office PC).

(11 Feb '14, 01:04) efranz

Just as an update:

The SCTP preference to reassemble fragmented messages is generally not enabled (independent of Windows 7 or 8).
I enabled reassembling of fragmented messages on my Windows 8 machine and forgot it. Then I recognized the discrepancy.

Maybe it would be a good idea to enable reassembling of fragmented SCTP messages generally (per default). I don't know any reason wher this may harm.

(11 Feb '14, 21:09) efranz

Well, it's probably off because enabling it means using more CPU and lots more memory. But TCP has desegmentation enabled by default so I guess it probably makes sense for SCTP to as well.

I submitted a change to change the default.

BTW, if the Answer on this question, well, answered your question, please Accept it (by clicking the checkmark) so the question won't show up in the list of unanswered questions.

(13 Feb '14, 13:06) JeffMorriss ♦

One Answer:

1	(As implied by Guy), it sounds a lot like the SCTP preference to reassemble fragmented messages is not enabled on the Windows 7 machine. (It's off by default.) answered 11 Feb '14, 12:02 JeffMorriss ♦ 6.2k●5●72 accept rate: 27%