Hello From wireshark version 2 and on, I could not decode diameter messages. Wireshark understand the packet as TCP Retransmission. Even with decode us it was not possible to decode it. Thanks Stavros
asked 21 Jul '16, 01:10  steve21 |
One Answer:
Hi again The cap was capture from trace tool which we are using in our Gateway. Problem solved. Unchecked the Analyse TCP sequences fro TCP Preferences. Thanks for your effort answered 21 Jul '16, 03:39 steve21 |
Are you saying that Wireshark marks even the first occurrence of a packet in the capture as a retransmission, or that it does not bother to dissect again a retransmitted packet if it has already dissected its first occurrence?
Can you post the capture at cloudshark or some file sharing service and edit your question with a link to it?
Hello
It is not a re-transmitted message. It's a CCR-U Diameter message.
https://www.cloudshark.org/captures/92e2092341f2
Is it a capture of real traffic or is part of the packets (the IP and TCP part in particular) handcrafted? Because the TCP sequence numbers are clearly wrong, having a constant value of 1 for all packets (which explains why Wireshark doesn't bother inspecting the packet in deeper detail because a TCP packet bearing an already used sequence number and non-zero payload size cannot be anything else but a retransmission), so I wonder how something like this could actually work in a real network. Something is also telling me that use of TCP port 0 is not legal, but I may be wrong.
If it is a real traffic, it only can work because both participants of the conversation use the same incorrect TCP implementation. So interworking with any other vendor's stack would be impossible.