tcpdump mailing list archives
Re: large packets parsing using TcpDump
From: Guy Harris <guy () alum mit edu>
Date: Wed, 1 Dec 2010 10:02:39 -0800
On Nov 30, 2010, at 10:35 PM, Mali Shternhell wrote:
Hi, Thanks for the response. my question is why tcpdump doesn't parse the large snmp response packet as it does for the typical response packet.
Because the SNMP printer routine that parses an ASN.1 BER item will quit if the length of the item is less than the amount of *captured* packet data available, and you captured with "-s 200", so any data past the first 200 bytes of the packet data were discarded.
Can you say if it possible for tcpdump to present the message type and oid in case of large snmp packets
Try capturing with "-s 0" to capture the entire packet, and see if that works. If it doesn't, the packets might be fragmented at the IP layer, and tcpdump would have to be changed to do IP reassembly, or the SNMP printer would have to be changed so that, for example, it only does the bounds checking for primitive types (*if* that's sufficient to keep it from walking past the end of the packet). - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- large packets parsing using TcpDump Mali Shternhell (Nov 30)
- Re: large packets parsing using TcpDump Guy Harris (Nov 30)
- Re: large packets parsing using TcpDump Mali Shternhell (Dec 01)
- Re: large packets parsing using TcpDump Guy Harris (Dec 01)
- Re: large packets parsing using TcpDump Mali Shternhell (Dec 01)
- Re: large packets parsing using TcpDump Guy Harris (Nov 30)