Re: large packets parsing using TcpDump

["Mali Shternhell" <malis () voltaire com>]

Hi, Thanks for the response.
my question is why tcpdump doesn't parse the large snmp response packet
as it does for the typical response packet.
You can see below the difference between tcpdump output in case of
typical response packet:
14:55:32.144583 IP 172.30.9.40.snmp > 172.30.9.16.47686:
GetResponse(37)  .1.3.6.1.2.1.17.7.1.4.2.1.3.1.153=153

And large response packet: (in this case tcpdump doesn't present the
type of message and oid details)
14:55:32.881113 IP 172.30.9.40.snmp > 172.30.9.16.47686:
[len1468<asnlen4663]

Can you say if it possible for tcpdump to present the message type and
oid in case of large snmp packets (this packet is totally legal)

Best Regards, 
Mali

14:55:32.144583 IP 172.30.9.40.snmp > 172.30.9.16.47686:
GetResponse(37)  .1.3.6.1.2.1.17.7.1.4.2.1.3.1.153=153
        0x0000:  0026 5522 e86a 0008 f140 bc21 0800 4500
        0x0010:  0050 0000 4000 4011 d028 ac1e 0928 ac1e
        0x0020:  0910 00a1 ba46 003c 9cf8 3032 0201 0104
        0x0030:  0670 7562 6c69 63a2 2502 0447 3f6a 3402
        0x0040:  0100 0201 0030 1730 1506 0f2b 0601 0201
        0x0050:  1107 0104 0201 0301 8119 4202 0099
14:55:32.881113 IP 172.30.9.40.snmp > 172.30.9.16.47686:
[len1468<asnlen4663]
        0x0000:  0026 5522 e86a 0008 f140 bc21 0800 4500
        0x0010:  05dc ee81 2000 4011 fc1a ac1e 0928 ac1e
        0x0020:  0910 00a1 ba46 1243 0f56 3082 1237 0201
        0x0030:  0104 0670 7562 6c69 63a2 8212 2802 0447
        0x0040:  3f6a 3602 0100 0201 0030 8212 1830 8212
        0x0050:  1406 0e2b 0601 0201 1107 0104 0201 0401

-----Original Message-----
From: Guy Harris [mailto:guy () alum mit edu] 
Sent: Tuesday, November 30, 2010 8:27 PM
To: tcpdump-workers () lists tcpdump org
Cc: Mali Shternhell
Subject: Re: [tcpdump-workers] large packets parsing using TcpDump


On Nov 29, 2010, at 10:24 PM, Mali Shternhell wrote:

> I'm using TcpDump in order to capture snmp request-response messages. 
>
> When the response packet is larger than 1468 TcpDump fail to capture 
> the packet

What do you mean by "fail to capture the packet"?  If you mean that the
packet isn't captured at all, it obviously won't show up in the output
of tcpdump (and would thus be hard to try to make show up in red :-)),
so presumably that's not what you meant.

If this is over Ethernet (as I suspect it is, given that 1468 is close
to 1500), a single network-layer packet can be up to 14 bytes of
payload, 1500 bytes of data, and 4 bytes of FCS.  If that 1500-byte
payload has a 20-byte minimum size IPv4 header plus an 8-byte UDP
header, that leaves 1472 bytes; any SNMP request or response longer than
1472 bytes will not fit in a single IPv4-over-Ethernet packet.  If
there's 4 bytes of IP options, that would be a 32-byte IPv4 header,
leaving 1468 bytes.

> (capture below, failed lines are in red)

Nothing appears to be red in your message.

Note that not everybody who might be reading your mail

        1) is running a mail program that can display colors;

        2) is running a mail program that could conveniently handle
various rich text formats (RTF, HTML, etc.);

        3) is not suffering from some form of color-blindness (I'm not,
but...) or even complete blindness (I don't know whether any screen
readers tell the user what *color* the text they're reading is);

so color probably isn't the best way to indicate something in a mail
message.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.