This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have problem in Analyzing a SIP message. The SIP message is fragmented across multiple TCP segments. This is causing a problem in analyzing the SIP message, due to this, few times our code is reading only half the "phone number" etc.

Interesting thing is wireshark is able to reassemble these TCP segments. Just i wanted to know how wireshark is reassembling into one PDU?

Wireshark decodes as below

No Source Destination Protocol Length Info

  1. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  2. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  3. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  4. x.x.x.x y.y.y.y SIP/SDP 562 Request:INVITE:sip [email protected]; User=phone 1

here message 4 is assembled 1,2 and 3 TCP segments

This question is marked "community wiki".

asked 03 Jun '14, 06:54

Veer's gravatar image

Veer
1112
accept rate: 0%

edited 03 Jun '14, 06:56


The short answer:

There's some amount of code in the Wireshark SIP dissector (epan/packet-sip.c) to handle reassembly of SIP PDUs.

You'll need to look at the code to see how Wireshark does the reassembly. :)

As you've seen, since TCP is a streaming protocol, a TCP segment can contain only part of a high-level protocol PDU; thus the higher level protocol must have some way to determine the actual length of the PDU to be able get the data (from 1 or more TCP segments) for the complete PDU.

This can be done in various ways: e.g., Having a "length" field as the initial part of the PDU.

permanent link

answered 03 Jun '14, 07:58

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 03 Jun '14, 08:05

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×78
×18
×2

question asked: 03 Jun '14, 06:54

question was seen: 3,287 times

last updated: 03 Jun '14, 08:05

p​o​w​e​r​e​d by O​S​Q​A