Re: tcpdump and wireshark

[Arien Vijn <arien.vijn () ams-ix net>]

On 15 sep 2008, at 23:05, Dmitry wrote:

> Hello.
> I'm interesting in info extraction from pcap dumps.
> Recently I did some test dump of downloaded picture with tcpdump and  
> wrote
> it to file 'dump.pcap'.
>
> Test zero:
> I have started capture on 192.168.0.1 host and did http request of  
> image to
> 192.168.0.2
> Nothing else dropped to dump except arp requests etc.
>
> Test one:
> I've opened dump with wireshark.
> Found stream, filtered it out and saved raw data to file 'dump.hex'
> Deleted HTTP request till \xff byte before JFIF header and got image.
>
> Test two:
> I've processed dump thru tcpdump in command-line manner
> $> tcpdump -nn -r dump.pcap src host 192.168.0.2 and src port 80 and  
> dst
> host 192.168.0.1 and dst port 50713 -w dump.hex
> Deleted HTTP request till \xff byte before JFIF header and got wrong  
> image.
>
> So, there I've got in trouble. What I'm doing wrong with tcpdump?

Snap length I guess. Tcpdump's default is 68 bytes. Try the parameter:  
"-s 0" to capture the whole packet.

I believe that tshark captures the entire packet by default.

-- Arien

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.