"truncated arp " message while using -s option

["Latha G" <lathajee () gmail com>]

Hi all,

I am using tcpdump -s option for capturing 20 bytes of the packet..
I thought the output should come like [|arp] / [|ip] / [|igmp]
{corresponding to protocol}
means at that protocol, the packet was truncated......
but for my surprise for arp packets it was coming like truncated-arp
and packet information in hex form.
for ex, $ tcpdump -s  40  arp
14:41:08.647627 truncated-arp
        0x0000:  0001 0800 0604 0001 0000 0000 1100 0000  ................
        0x0010:  50e2 a209 f8e1 a209 1000 0000 2900 0000  P...........)...
        0x0020:  2800 0000 0c00 0000 1500 0001 0608       (.............

So, I observed like, for snaplength 1-13 it was coming like [|ether].....it
was ok..since ethernet packet header was of 14 bytes length....
for snaplength 14 - 21 it was coming like [|arp]...this is also expected..
but for snaplength 22 - 41 i am getting the above output .......
I thought for snaplength below 42 (since arp packet size 28 bytes + Ethernet
Packet header 14 bytes), I am expecting [|arp]
For other packets it was ok... this thing i observed only for arp
packets....
what is the reason for this behaviour?

Thanks in advance....

--
Regards,
Latha.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.