tcpdump mailing list archives

Re: why I'm capturing packets larger than MTU size

From: Aaron Turner <synfinatic () gmail com>
Date: Thu, 23 Feb 2012 08:49:20 -0800

On Thu, Feb 23, 2012 at 6:31 AM, Andriy Tylychko
<andriy.tylychko () gmail com> wrote:

I capture network traffic on Debian 5 and 6 with libpcap v. 1.2.1 compiled
from sources. Then I send these traffic by pcap_sendpacket(). Sometimes
there're packets (both TCP and UDP) larger than default MTU size (1500
bytes). I cannot send these packets with error: "send error:
packetSendPacket failed". Found this post:
http://seclists.org/tcpdump/2007/q2/112 "[Patch] libpcap support for IP
fragment reassembly", but I didn't enable such reassemply.


Open your pcap in wireshark... see what's there beyond the 1500 byte
limit.  I'm going to guess it's the ethernet trailer and not
re-assembled IP fragements.  Easiest to do it remove the trailer with
something like tcprewrite.


-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

why I'm capturing packets larger than MTU size (1500 bytes) and how to send them by pcap_sendpacket()? Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
  - Re: why I'm capturing packets larger than MTU size Andriy Tylychko (Feb 23)
    - Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
    - Re: why I'm capturing packets larger than MTU size Guy Harris (Feb 23)
- Re: why I'm capturing packets larger than MTU size Rick Jones (Feb 23)