Re: large packets parsing using TcpDump

[Guy Harris <guy () alum mit edu>]

On Nov 30, 2010, at 10:35 PM, Mali Shternhell wrote:

> Hi, Thanks for the response.
> my question is why tcpdump doesn't parse the large snmp response packet
> as it does for the typical response packet.

Because the SNMP printer routine that parses an ASN.1 BER item will quit if the length of the item is less than the 
amount of *captured* packet data available, and you captured with "-s 200", so any data past the first 200 bytes of the 
packet data were discarded.

> Can you say if it possible for tcpdump to present the message type and
> oid in case of large snmp packets

Try capturing with "-s 0" to capture the entire packet, and see if that works.

If it doesn't, the packets might be fragmented at the IP layer, and tcpdump would have to be changed to do IP 
reassembly, or the SNMP printer would have to be changed so that, for example, it only does the bounds checking for 
primitive types (*if* that's sufficient to keep it from walking past the end of the packet).

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.