topic Re: tcpdump - setting packet size in Operating System - HP-UX

tcpdump - setting packet size

Burvil Chang — Wed, 09 Jan 2008 20:25:04 GMT

I run tcpdump successfully on my HP-UX 11i system, i.e. I get a file that I can read in wireshark. This is the command I use:

-----------------------------
tcpdump -vvv -e -w /opt/archives/tcpdump.intermittent_slowness.01092008.pcap -i /dev/dlpi0 -s 100 -xx host ip-address-here
-----------------------------

However, the packets are being truncated.

According the manpage at the HP-UX archiving and porting centre (where I downloaded the depot to install) at
http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.9.8/man.html:

-----------------------------
-s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68
bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see

...
Setting snaplen to 0 means use the required length to catch whole packets.
-----------------------------

So, I try specifying -s 0 and not -s 100, and I get an error:

tcpdump: invalid snaplen 0

I looked in the tarball, and there's nothing from ./configure --help that says anything about setting the size, so I don't think compiling and installing from source instead of depot would help.

How can I set the size?

Re: tcpdump - setting packet size

Murat SULUHAN — Wed, 09 Jan 2008 20:45:09 GMT

Hi Burvil

From "Open Source Network Administration"

One counterintuitive default of tcpdump is that the amount of data captured is only the first 68 bytes of the packet. This is usually enough to grab the protocol headers, but it is not the entire packet. The snaplen option allows you to set the number of bytes tcpdump will grab from the packet. If you wish to view the entire packet (as with the -x option) or if you wish for the verbose options (-v and -vv) to have access to all of the data present in the packet, specify a snaplen size of 1500:

tcpdump -s 1500

We choose 1500 because it is the maximum size of the payload of an Ethernet frame. If we were using tcpdump on a network that is not Ethernet, we might need to set the snaplen size to an even larger value.

Best Regards
Murat

Re: tcpdump - setting packet size

Burvil Chang — Wed, 09 Jan 2008 21:28:17 GMT

Awesome! That answered it. It works correctly now, and does not truncate the packets.

Re: tcpdump - setting packet size

rick jones — Thu, 10 Jan 2008 01:46:54 GMT

Some "ethernet" networks can support packet sizes >> 1500 bytes - eg gigabit and 10 Gig interfaces which support "jumbo frame" in one way or another.

99 times out of ten all one really needs are the headers. Any particular reason why you need the entire packet out to 1500ish bytes?

Re: tcpdump - setting packet size

Burvil Chang — Thu, 10 Jan 2008 16:49:27 GMT

99 times out of ten all one really needs are the headers. Any particular reason why you need the entire packet out to 1500ish bytes?
=================
I was getting an error on the checksum, noting that the packet was truncated. Although it may not have mattered, I wanted to be sure. These included X Windows packets, but also some packets from a custom application, for which there isn't really a set size. Basically, I just wanted to make sure I got everything.

Re: tcpdump - setting packet size

rick jones — Thu, 10 Jan 2008 18:13:37 GMT

Keep in mind that even with the entire packet, you can/will still see false checksum failures when looking at traffic sourced on the system on which tcpdump is run, when the NIC(s) involved have ChecKsum Offload (CKO) enabled.

Re: tcpdump - setting packet size

afkpaul — Wed, 21 Oct 2020 08:44:12 GMT

Hello everyone

I saw that there is a long time since no one added an answer to this thread so..

I was looking a way to not capture packages that have size less than X, in our case to ignore YateDRA SCTP Heartbeat frames that have 126 bytes.

tcpdump -i yate-core greater 127 and net XX.XX.XX.XX/29 and net YY.YY.YY.YY/30

I hope this will help others that reach this Networking thread

sysadmin @ YateBTS