This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How wireshark reassembles TCP/SIP segments

0

I have problem in Analyzing a SIP message. The SIP message is fragmented across multiple TCP segments. This is causing a problem in analyzing the SIP message, due to this, few times our code is reading only half the "phone number" etc.

Interesting thing is wireshark is able to reassemble these TCP segments. Just i wanted to know how wireshark is reassembling into one PDU?

Wireshark decodes as below

No Source Destination Protocol Length Info

  1. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  2. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  3. x.x.x.x y.y.y.y TCP 582 [TCP segment of reassembled PDU]
  4. x.x.x.x y.y.y.y SIP/SDP 562 Request:INVITE:sip [email protected]; User=phone 1

here message 4 is assembled 1,2 and 3 TCP segments

This question is marked "community wiki".

asked 03 Jun '14, 06:54

Veer's gravatar image

Veer
1112
accept rate: 0%

edited 03 Jun '14, 06:56


One Answer:

0

The short answer:

There's some amount of code in the Wireshark SIP dissector (epan/packet-sip.c) to handle reassembly of SIP PDUs.

You'll need to look at the code to see how Wireshark does the reassembly. :)

As you've seen, since TCP is a streaming protocol, a TCP segment can contain only part of a high-level protocol PDU; thus the higher level protocol must have some way to determine the actual length of the PDU to be able get the data (from 1 or more TCP segments) for the complete PDU.

This can be done in various ways: e.g., Having a "length" field as the initial part of the PDU.

answered 03 Jun '14, 07:58

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 03 Jun '14, 08:05