tcpdump mailing list archives
"truncated arp " message while using -s option
From: "Latha G" <lathajee () gmail com>
Date: Thu, 23 Feb 2006 15:21:14 +0530
Hi all, I am using tcpdump -s option for capturing 20 bytes of the packet.. I thought the output should come like [|arp] / [|ip] / [|igmp] {corresponding to protocol} means at that protocol, the packet was truncated...... but for my surprise for arp packets it was coming like truncated-arp and packet information in hex form. for ex, $ tcpdump -s 40 arp 14:41:08.647627 truncated-arp 0x0000: 0001 0800 0604 0001 0000 0000 1100 0000 ................ 0x0010: 50e2 a209 f8e1 a209 1000 0000 2900 0000 P...........)... 0x0020: 2800 0000 0c00 0000 1500 0001 0608 (............. So, I observed like, for snaplength 1-13 it was coming like [|ether].....it was ok..since ethernet packet header was of 14 bytes length.... for snaplength 14 - 21 it was coming like [|arp]...this is also expected.. but for snaplength 22 - 41 i am getting the above output ....... I thought for snaplength below 42 (since arp packet size 28 bytes + Ethernet Packet header 14 bytes), I am expecting [|arp] For other packets it was ok... this thing i observed only for arp packets.... what is the reason for this behaviour? Thanks in advance.... -- Regards, Latha. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- "truncated arp " message while using -s option Latha G (Feb 23)
- Re: "truncated arp " message while using -s option Guy Harris (Feb 23)
- Re: "truncated arp " message while using -s option Hannes Gredler (Feb 23)
- Re: "truncated arp " message while using -s option Guy Harris (Feb 23)