Hey guys I am troubleshooting a voice call and I applied a SIP CallID filter, the problem is that I don't see the TCP retransmit anymore in my capture for that specific call ... I have a friend that has Wireshark 1.10.5 and it is working for him but I am on the newer version and it does not show the TCP retransmit . Anyone has any hint to give me? :) Thanks vPackets asked 21 Feb '17, 09:10 vPackets |
One Answer:
By default in recent versions of Wireshark the TCP dissector does not pass "error" packets (such as retransmissions) to upper layer dissectors. This is because these error packets tend to confuse the upper-layer protocol dissectors (because they see the same data more than once). If you want the old functionality back you can disable the TCP preference answered 21 Feb '17, 10:50 JeffMorriss ♦ showing 5 of 6 show 1 more comments |
Thanks a lot.
The problem with || tcp.analysis.retransmission is that it will add ALL the TCP retransmit I had during that capture ... not the specific ones for my SIP.CallID .
Nic
True enough.
On a side note if my answer answers your question please be sure to Accept the answer (by clicking on the checkmark next to it). This is a Q&A site, not a forum--see the FAQ.
So Is there a way to filter a call and the specific TCP retransmit I had for that call ?
I tried SIP Call ID AND TCP.analysis.retransmission but without any luck :(
Thanks to let me know
Nic
I think for that you'll need to disable the
Do not call subdissectors for error packets
preference (and even that's not going to be perfect; if the retransmitted segment doesn't include the Call ID then it won't be caught). AFAIK that's about as good as it's going to get (unless you can filter on something else like the TCP stream number or something).Hey Jeff !
Looks like I got the same results using your advice :(
Do you think of something else or should I downgrade to Wireshark 1.x ?
Thanks !
Sorry, which advice (we talked about a couple different options)? The one that should get you back to the old behavior is disabling the
Do not call subdissectors for error packets
option. It would be interesting to know if the behavior isn't the same.Are there non-SIP fields you can filter on once you have the call isolated (e.g., IP addresses and ports)?