Hi Experts, I was under the impression that wireshark incorporated feature that when we save filtered displayed trace, it also saves dependent fragments of packets. So that the newly saved file can be restored to show all packets that were displayed in the raw trace. Is this function works for SCTP. I am not seeing this for my traces. We are running MEGACO and DIAMETER over SCTP. I am using Version 2.0.2 (v2.0.2-0-ga16e22e from master-2.0) //SShark asked 07 Jul '16, 20:18  sshark |
One Answer:
So it works in general but not for one particular message? In that case we'd need to see the capture. You could post it someplace public like cloudshark.org or, since it sounds it may be a bug, raise a bug (you can mark the bug was private if the capture file is sensitive--one of the core developers can then mark the attachment as private and make the bug public; unfortunately mere mortals don't have the ability to mark attachments as private). answered 08 Jul '16, 08:24  JeffMorriss ♦ Bug 12597 reported (09 Jul '16, 05:12) sshark |
Can you specify exactly what steps you're doing?
I just tried it with 2.0.4 and it worked. Basically I:
(The Displayed column showed that I was going to save 2 packets rather than the 1 displayed in the packet list--which is what I wanted.)
The notes from the commit that added this feature indicate that it only works when exporting/saving the All the Displayed packets--it doesn't work with the Selected Packet or Marked Packet cases.
Yes, I did exactly as you described
Yes, understand that the feature works if I save all Displayed Packets
I have in Packet re-assemble enabled under Edit - Preference - Protocol, IPv4 & SCTP
Can share sample traces via email