Hi; Whwn we create a SIP call INVITE do not appears in Wireshark trace. When we filter the trace as SIP the flow starts with "100 Trying". When i search full trace the psition that belongs to INVITE is covered with "Fragmented IP Protocol". It seems like wireshark can not produce the INVITE Message normally. Is there ant option to have INVITE message with correct format with Wireshark? Thanks Best Regards asked 29 Nov '11, 03:45  m_ayazici |
2 Answers:
Hi, Disable the option "Reassemble fragmented IPv4 datagrams" in wireshark. Edit -> Preferences -> Protocols -> IPv4. Once this is done, you will see the pcap correctly. Regards Diego answered 23 Apr '14, 00:43  dpombo |
No idea if this helps, but you could try to toggle the "Reassemble fragmented IPv4 datagrams" in the IPv4 protocol preferences setting. Sometimes the Reassembly setting fools around with the decoding, so it might help to try to change it. answered 29 Nov '11, 12:09  Jasper ♦♦ |
"Reassemble fragmented IPv4 datagrams" was selected in the configuration of wireshark as default. I deselect it and tried again but it still seems as "Fragmented IP Protocol"
I tried it in SIP protocol also but it didn't effect also.
Thanks a lot for your help
The traffic probably is fragmented, and there's something preventing the IPv4 dissector from reassembling the fragments. such as packets having been cut short by a snapshot length when capturing or IP checksum offloading causing outgoing packets to appear to have bad checksums.
There's nothing that can be done about the first of those, other than "don't capture with a snapshot length". For the second of those, if the "Fragmented IP Protocol" packets have a bad IP header checksum, turn off the "Validate the IPv4 checksum if possible" preference for IP.
(And if you've turned off "Reassemble fragmented IPv4 datagrams", turn it back on! If it's off, Wireshark won't even try to reassemble fragmented IPv4 datagrams.)