This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Rebuilding PCAP without IP Fragmentation

1

Can Wireshark rebuild an HTTP PCAP that contains IP Fragmentation and rebuild the PCAP so there is no IP Fragmentation present in the PCAP?

asked 16 Aug '16, 13:15

LennyB's gravatar image

LennyB
21113
accept rate: 0%

edited 17 Aug '16, 03:30

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

No, Wireshark doesn't modify packets. I know of no other tool that can reassemble IP fragments and give you a PCAP with the reassembled packets. Why would you need this feature anyway?

answered 16 Aug '16, 13:26

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, Thanks for the answer. The test tool I am using does not support reading in fragmented PCAPs. The PCAPs that I want to use contain IP Fragmentation.

(16 Aug '16, 13:36) LennyB

But the test tool can deal with oversized packets? Because that's what will happen if you reassemble IP fragments.

Maybe I can add a feature to TraceWrangler to do this kind of reassembly for you - how urgent is this?

(16 Aug '16, 13:40) Jasper ♦♦

In the development version packet kan be exported on the exported pdu format at the Tcp or udp layer I think. Would that help?

(16 Aug '16, 14:05) Anders ♦

I also have this need, I have a capture of SIP traffic running permanently. When I need to analyse a call I use ngrep to filter a callid. But due to fragmentation, I do not get all the SIP messages. I have tcpdump exporting the fragments, but ngrep does not handle fragments. Thus I need jumbo frames.

(17 Aug '16, 05:11) Kjeld Flarup

At least in the development version you can use tshark to export PDU at OSI Layer 7 to extract the reassembled SIP traffic and then work on the resulting file, you might want to use 2 pass to make sure reassembly is OK.

tshark with parameters -U "OSI layer 7" -2

(17 Aug '16, 07:27) Anders ♦