Can Wireshark rebuild an HTTP PCAP that contains IP Fragmentation and rebuild the PCAP so there is no IP Fragmentation present in the PCAP? asked 16 Aug '16, 13:15  LennyB edited 17 Aug '16, 03:30  grahamb ♦ |
One Answer:
No, Wireshark doesn't modify packets. I know of no other tool that can reassemble IP fragments and give you a PCAP with the reassembled packets. Why would you need this feature anyway? answered 16 Aug '16, 13:26  Jasper ♦♦ |
Jasper, Thanks for the answer. The test tool I am using does not support reading in fragmented PCAPs. The PCAPs that I want to use contain IP Fragmentation.
But the test tool can deal with oversized packets? Because that's what will happen if you reassemble IP fragments.
Maybe I can add a feature to TraceWrangler to do this kind of reassembly for you - how urgent is this?
In the development version packet kan be exported on the exported pdu format at the Tcp or udp layer I think. Would that help?
I also have this need, I have a capture of SIP traffic running permanently. When I need to analyse a call I use ngrep to filter a callid. But due to fragmentation, I do not get all the SIP messages. I have tcpdump exporting the fragments, but ngrep does not handle fragments. Thus I need jumbo frames.
At least in the development version you can use tshark to export PDU at OSI Layer 7 to extract the reassembled SIP traffic and then work on the resulting file, you might want to use 2 pass to make sure reassembly is OK.
tshark with parameters -U "OSI layer 7" -2