tcpdump mailing list archives
Re: large packets parsing using TcpDump
From: "Mali Shternhell" <malis () voltaire com>
Date: Wed, 1 Dec 2010 08:35:00 +0200
Hi, Thanks for the response. my question is why tcpdump doesn't parse the large snmp response packet as it does for the typical response packet. You can see below the difference between tcpdump output in case of typical response packet: 14:55:32.144583 IP 172.30.9.40.snmp > 172.30.9.16.47686: GetResponse(37) .1.3.6.1.2.1.17.7.1.4.2.1.3.1.153=153 And large response packet: (in this case tcpdump doesn't present the type of message and oid details) 14:55:32.881113 IP 172.30.9.40.snmp > 172.30.9.16.47686: [len1468<asnlen4663] Can you say if it possible for tcpdump to present the message type and oid in case of large snmp packets (this packet is totally legal) Best Regards, Mali 14:55:32.144583 IP 172.30.9.40.snmp > 172.30.9.16.47686: GetResponse(37) .1.3.6.1.2.1.17.7.1.4.2.1.3.1.153=153 0x0000: 0026 5522 e86a 0008 f140 bc21 0800 4500 0x0010: 0050 0000 4000 4011 d028 ac1e 0928 ac1e 0x0020: 0910 00a1 ba46 003c 9cf8 3032 0201 0104 0x0030: 0670 7562 6c69 63a2 2502 0447 3f6a 3402 0x0040: 0100 0201 0030 1730 1506 0f2b 0601 0201 0x0050: 1107 0104 0201 0301 8119 4202 0099 14:55:32.881113 IP 172.30.9.40.snmp > 172.30.9.16.47686: [len1468<asnlen4663] 0x0000: 0026 5522 e86a 0008 f140 bc21 0800 4500 0x0010: 05dc ee81 2000 4011 fc1a ac1e 0928 ac1e 0x0020: 0910 00a1 ba46 1243 0f56 3082 1237 0201 0x0030: 0104 0670 7562 6c69 63a2 8212 2802 0447 0x0040: 3f6a 3602 0100 0201 0030 8212 1830 8212 0x0050: 1406 0e2b 0601 0201 1107 0104 0201 0401 -----Original Message----- From: Guy Harris [mailto:guy () alum mit edu] Sent: Tuesday, November 30, 2010 8:27 PM To: tcpdump-workers () lists tcpdump org Cc: Mali Shternhell Subject: Re: [tcpdump-workers] large packets parsing using TcpDump On Nov 29, 2010, at 10:24 PM, Mali Shternhell wrote:
I'm using TcpDump in order to capture snmp request-response messages. When the response packet is larger than 1468 TcpDump fail to capture the packet
What do you mean by "fail to capture the packet"? If you mean that the packet isn't captured at all, it obviously won't show up in the output of tcpdump (and would thus be hard to try to make show up in red :-)), so presumably that's not what you meant. If this is over Ethernet (as I suspect it is, given that 1468 is close to 1500), a single network-layer packet can be up to 14 bytes of payload, 1500 bytes of data, and 4 bytes of FCS. If that 1500-byte payload has a 20-byte minimum size IPv4 header plus an 8-byte UDP header, that leaves 1472 bytes; any SNMP request or response longer than 1472 bytes will not fit in a single IPv4-over-Ethernet packet. If there's 4 bytes of IP options, that would be a 32-byte IPv4 header, leaving 1468 bytes.
(capture below, failed lines are in red)
Nothing appears to be red in your message. Note that not everybody who might be reading your mail 1) is running a mail program that can display colors; 2) is running a mail program that could conveniently handle various rich text formats (RTF, HTML, etc.); 3) is not suffering from some form of color-blindness (I'm not, but...) or even complete blindness (I don't know whether any screen readers tell the user what *color* the text they're reading is); so color probably isn't the best way to indicate something in a mail message. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- large packets parsing using TcpDump Mali Shternhell (Nov 30)
- Re: large packets parsing using TcpDump Guy Harris (Nov 30)
- Re: large packets parsing using TcpDump Mali Shternhell (Dec 01)
- Re: large packets parsing using TcpDump Guy Harris (Dec 01)
- Re: large packets parsing using TcpDump Mali Shternhell (Dec 01)
- Re: large packets parsing using TcpDump Guy Harris (Nov 30)