tcpdump mailing list archives
Re: why I'm capturing packets larger than MTU size
From: Aaron Turner <synfinatic () gmail com>
Date: Thu, 23 Feb 2012 09:36:33 -0800
Increase your MTU? 2012/2/23 Andriy Tylychko <andriy.tylychko () gmail com>:
Yeah, seems you're right. After upgrading to libpcap 1.2.1 I see failed sends only on packets with size of 1518 bytes, before that (with default libpcap 0.8 from Debian repository) I saw packets of >2000 bytes. Why I cannot send such packets (of 1518 bytes) by pcap_sendpacket()?-----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers- owner () lists tcpdump org] On Behalf Of Aaron Turner Sent: Thursday, February 23, 2012 6:49 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] why I'm capturing packets larger than MTUsizeOn Thu, Feb 23, 2012 at 6:31 AM, Andriy Tylychko<andriy.tylychko () gmail com>wrote:I capture network traffic on Debian 5 and 6 with libpcap v. 1.2.1 compiled from sources. Then I send these traffic by pcap_sendpacket(). Sometimes there're packets (both TCP and UDP) larger than default MTU size (1500 bytes). I cannot send these packets with error: "send error: packetSendPacket failed". Found this post: http://seclists.org/tcpdump/2007/q2/112 "[Patch] libpcap support for IP fragment reassembly", but I didn't enable such reassemply.Open your pcap in wireshark... see what's there beyond the 1500 bytelimit. I'mgoing to guess it's the ethernet trailer and not re-assembled IPfragements.Easiest to do it remove the trailer with something like tcprewrite. -- Aaron Turner http://synfin.net/ Twitter: @synfinatichttp://tcpreplay.synfin.net/ - Pcapediting and replay tools for Unix & Windows Those who would give upessentialLiberty, to purchase a little temporary Safety, deserve neither Libertynor Safety.-- Benjamin Franklin "carpe diem quam minimum credula postero" - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
-- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- why I'm capturing packets larger than MTU size (1500 bytes) and how to send them by pcap_sendpacket()? Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
- Re: why I'm capturing packets larger than MTU size Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
- Re: why I'm capturing packets larger than MTU size Guy Harris (Feb 23)
- Re: why I'm capturing packets larger than MTU size Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Rick Jones (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)