Re: 'tcpdump -s0' payload length limit?

[Guy Harris <guy () alum mit edu>]

On Aug 25, 2004, at 11:05 AM, David Front wrote:

> 11:33:55.601653 IP lxfs5623.cern.ch.32962 > lcgmon002d.cern.ch.12509: 
> UDP, length: 1637

"UDP, length: 1637" means that the *UDP* packet length is 1637 bytes.

That doesn't mean that the *Ethernet* packet is 1637 bytes, as you note 
later:

> IP message may consist of a few Ethernet messages.

A 1637-byte UDP message will be put inside a single IP message - but if 
you send that over Ethernet, it will be split into two fragments, each 
one in a separate Ethernet message.

Tcpdump doesn't reassemble fragmented IP datagrams, so it'll only print 
the data in the first fragment.

> Please update me if there is a way to work around the problem,
>  or if this is a tcpdump problem.

It's a tcpdump problem (having nothing to do with truncating Ethernet 
packets - the Ethernet packet packet really *is* that short), but there 
is a workaround - use a network analyzer that *does* reassemble 
fragmented IP datagrams.

Ethereal and Tethereal will reassemble fragmented IP datagrams, if 
configured to do so.

Note, however, that the reassembly is *NOT* done at the low-layer 
capture level, so a capture filter of "port 12509" will only capture 
the first fragment of a fragmented datagram, and Ethereal and Tethereal 
will *NOT* be able to reassemble the packet.  You would have to specify 
a filter that looks only at the IP headers, such as a filter that 
checks for UDP, or that checks for UDP traffic between two particular 
hosts, in order to capture *all* the fragments.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.