Hello, I need to see changes that are done by a cisco asa after sip inspection. I can see that incomming tcp segment is 1452 bytes. Living the asa it's already 1460 bytes. The changes are made on application level. To see the stream content on the layer 7 I choose a frame from that tcp stream and click on follow TCP stream. Now I can see an ASCII Text for entire conversation in this tcp stream. If I click on an text entry, the corresponded frame is highlighted in the wireshark. Click on an other part of the text, an other frame is highlighted. It happens the text entries that belong to one frame are spread over the entire follow tcp stream ASCII text. What I need is to see or highlight the layer 7 (ASCII text) information only for one frame in the tcp stream. Is it possible? Thanks Sergej asked 03 Mar '16, 08:23  seb edited 04 Mar '16, 09:57  sindy |
One Answer:
Yes, you can select a single frame in the packet (frame) list, either by clicking it directly in the packet list pane of the basic Wireshark window or by clicking the corresponding part of text in the "follow tcp stream" window, and then look into the packet dissection pane in the basic window. There you should have two "cards", one showing only the payload of that tcp packet alone and the other showing reassembled data from multiple tcp packets - in this case, the whole SIP message whose part is in the selected frame. I don't have the details of your scenario, but I assume that you want to see the modification performed by the ASA. To do so, you would right-click the line "Session Initiation Protocol - SIP" in the packet dissection tree in the packet dissection pane and choose If it does not work for you, please publish the capture and provide a link to it, I haven't found any SIP over TCP capture in my archive so I could not check each step of my description. answered 03 Mar '16, 12:30 sindy |
Thanks, sindy. It works.