tcpdump mailing list archives
Re: why I'm capturing packets larger than MTU size
From: Aaron Turner <synfinatic () gmail com>
Date: Thu, 23 Feb 2012 08:49:20 -0800
On Thu, Feb 23, 2012 at 6:31 AM, Andriy Tylychko <andriy.tylychko () gmail com> wrote:
I capture network traffic on Debian 5 and 6 with libpcap v. 1.2.1 compiled from sources. Then I send these traffic by pcap_sendpacket(). Sometimes there're packets (both TCP and UDP) larger than default MTU size (1500 bytes). I cannot send these packets with error: "send error: packetSendPacket failed". Found this post: http://seclists.org/tcpdump/2007/q2/112 "[Patch] libpcap support for IP fragment reassembly", but I didn't enable such reassemply.
Open your pcap in wireshark... see what's there beyond the 1500 byte limit. I'm going to guess it's the ethernet trailer and not re-assembled IP fragements. Easiest to do it remove the trailer with something like tcprewrite. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- why I'm capturing packets larger than MTU size (1500 bytes) and how to send them by pcap_sendpacket()? Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
- Re: why I'm capturing packets larger than MTU size Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)
- Re: why I'm capturing packets larger than MTU size Guy Harris (Feb 23)
- Re: why I'm capturing packets larger than MTU size Andriy Tylychko (Feb 23)
- Re: why I'm capturing packets larger than MTU size Rick Jones (Feb 23)
- Re: why I'm capturing packets larger than MTU size Aaron Turner (Feb 23)