HPE Community
Operating System - HP-UX
1819535 Members
1046 Online
109603 Solutions
New Discussion юеВ

tcpdump - setting packet size

 
SOLVED
Go to solution
Burvil Chang
Advisor

тАО01-09-2008 12:25 PM

тАО01-09-2008 12:25 PM

tcpdump - setting packet size

I run tcpdump successfully on my HP-UX 11i system, i.e. I get a file that I can read in wireshark. This is the command I use:

-----------------------------
tcpdump -vvv -e -w /opt/archives/tcpdump.intermittent_slowness.01092008.pcap -i /dev/dlpi0 -s 100 -xx host ip-address-here
-----------------------------

However, the packets are being truncated.

According the manpage at the HP-UX archiving and porting centre (where I downloaded the depot to install) at
http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.9.8/man.html:

-----------------------------
-s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68
bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see

...
Setting snaplen to 0 means use the required length to catch whole packets.
-----------------------------

So, I try specifying -s 0 and not -s 100, and I get an error:

tcpdump: invalid snaplen 0

I looked in the tarball, and there's nothing from ./configure --help that says anything about setting the size, so I don't think compiling and installing from source instead of depot would help.

How can I set the size?
http://www.burvil.org
0 Kudos
Reply
6 REPLIES 6
Murat SULUHAN
Honored Contributor

тАО01-09-2008 12:45 PM

тАО01-09-2008 12:45 PM

Solution

Re: tcpdump - setting packet size

Hi Burvil

From "Open Source Network Administration"

One counterintuitive default of tcpdump is that the amount of data captured is only the first 68 bytes of the packet. This is usually enough to grab the protocol headers, but it is not the entire packet. The snaplen option allows you to set the number of bytes tcpdump will grab from the packet. If you wish to view the entire packet (as with the -x option) or if you wish for the verbose options (-v and -vv) to have access to all of the data present in the packet, specify a snaplen size of 1500:

tcpdump -s 1500

We choose 1500 because it is the maximum size of the payload of an Ethernet frame. If we were using tcpdump on a network that is not Ethernet, we might need to set the snaplen size to an even larger value.

Best Regards
Murat
Murat Suluhan
Reply
Burvil Chang
Advisor

тАО01-09-2008 01:28 PM

тАО01-09-2008 01:28 PM

Re: tcpdump - setting packet size

Awesome! That answered it. It works correctly now, and does not truncate the packets.
http://www.burvil.org
0 Kudos
Reply
rick jones
Honored Contributor

тАО01-09-2008 05:46 PM

тАО01-09-2008 05:46 PM

Re: tcpdump - setting packet size

Some "ethernet" networks can support packet sizes >> 1500 bytes - eg gigabit and 10 Gig interfaces which support "jumbo frame" in one way or another.

99 times out of ten all one really needs are the headers. Any particular reason why you need the entire packet out to 1500ish bytes?
there is no rest for the wicked yet the virtuous have no pillows
Reply
Burvil Chang
Advisor

тАО01-10-2008 08:49 AM

тАО01-10-2008 08:49 AM

Re: tcpdump - setting packet size

99 times out of ten all one really needs are the headers. Any particular reason why you need the entire packet out to 1500ish bytes?
=================
I was getting an error on the checksum, noting that the packet was truncated. Although it may not have mattered, I wanted to be sure. These included X Windows packets, but also some packets from a custom application, for which there isn't really a set size. Basically, I just wanted to make sure I got everything.
http://www.burvil.org
0 Kudos
Reply
rick jones
Honored Contributor

тАО01-10-2008 10:13 AM

тАО01-10-2008 10:13 AM

Re: tcpdump - setting packet size

Keep in mind that even with the entire packet, you can/will still see false checksum failures when looking at traffic sourced on the system on which tcpdump is run, when the NIC(s) involved have ChecKsum Offload (CKO) enabled.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
afkpaul
New Member

тАО10-21-2020 01:44 AM

тАО10-21-2020 01:44 AM

Re: tcpdump - setting packet size

Hello everyone

I saw that there is a long time since no one added an answer to this thread so.. 

I was looking a way to not capture packages that have size less than X, in our case to ignore YateDRA SCTP Heartbeat frames that have 126 bytes.

tcpdump -i yate-core greater 127 and net XX.XX.XX.XX/29 and net YY.YY.YY.YY/30

I hope this will help others that reach this Networking thread

sysadmin @ YateBTS

 

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.