I have problem in Analyzing a SIP message. The SIP message is fragmented across multiple TCP segments. This is causing a problem in analyzing the SIP message, due to this, few times our code is reading only half the "phone number" etc.
Interesting thing is wireshark is able to reassemble these TCP segments. Just i wanted to know how wireshark is reassembling into one PDU?
Wireshark decodes as below
No Source Destination Protocol Length Info
here message 4 is assembled 1,2 and 3 TCP segments
This question is marked "community wiki".
asked 03 Jun '14, 06:54
edited 03 Jun '14, 06:56
The short answer:
There's some amount of code in the Wireshark SIP dissector (epan/packet-sip.c) to handle reassembly of SIP PDUs.
You'll need to look at the code to see how Wireshark does the reassembly. :)
As you've seen, since TCP is a streaming protocol, a TCP segment can contain only part of a high-level protocol PDU; thus the higher level protocol must have some way to determine the actual length of the PDU to be able get the data (from 1 or more TCP segments) for the complete PDU.
This can be done in various ways: e.g., Having a "length" field as the initial part of the PDU.
answered 03 Jun '14, 07:58
Bill Meier ♦♦
edited 03 Jun '14, 08:05