HPE Community
Operating System - HP-UX
1820477 Members
2934 Online
109624 Solutions
New Discussion юеВ

what the meaning of IP truncated-ip - 6760 bytes missing!?

 
yao_4
Occasional Contributor

тАО06-16-2008 06:53 PM

тАО06-16-2008 06:53 PM

what the meaning of IP truncated-ip - 6760 bytes missing!?

Hi, expert,

when I user tcpdump the sniffe the network,
I get the message: IP truncated-ip - 6760 bytes missing!?, what the meaning of this ?

thx a lot
0 Kudos
Reply
13 REPLIES 13
Laurent Menase
Honored Contributor

тАО06-17-2008 12:37 AM

тАО06-17-2008 12:37 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

probably an IP fragment.
0 Kudos
Reply
Avinash20
Honored Contributor

тАО06-17-2008 12:50 AM

тАО06-17-2008 12:50 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

Is the OS HP-UX ?? What is the version of OS
# uname -a
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО06-17-2008 01:12 AM

тАО06-17-2008 01:12 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

Hi,

Did you install the tcpdump from a depot.
What command you used. Please post the full command.

Rgds.
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО06-17-2008 01:17 AM

тАО06-17-2008 01:17 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

It is an IP fragment from a message of probably 8192 bytes. I suppose the first fragment.
because chen you take the message at NIC level messages are not reassembled by IP level.

0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО06-17-2008 02:05 AM

тАО06-17-2008 02:05 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

Just try with the -s option.

Rgds.
0 Kudos
Reply
yao_4
Occasional Contributor

тАО06-17-2008 10:43 PM

тАО06-17-2008 10:43 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

it is hp_ux 11.11, I install using depot.
when I use tcpdump -s:
./tcpdump -i lan1 -s 5000
14:39:36.794549 IP truncated-ip - 6760 bytes missing! 192.168.9.12.61781 > 192.1
I found many such messages, what it mean?
why it happened?

Thx a lot

0 Kudos
Reply
yao_4
Occasional Contributor

тАО06-17-2008 10:44 PM

тАО06-17-2008 10:44 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

does it mean the network is vary busy?
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО06-17-2008 10:49 PM

тАО06-17-2008 10:49 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

Can you increase the -s value more and try whether you get any changes. Give a bigger value like 10000 or 20000.
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО06-17-2008 11:00 PM

тАО06-17-2008 11:00 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

What versions of tcpdump and libcap you are using.

tcpdump -h

0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО06-17-2008 11:38 PM

тАО06-17-2008 11:38 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

I would assume a tcpdump snaplength of naught should filter the entire payload.
Try
tcpdump -s 0 ...
Madness, thy name is system administration
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО06-18-2008 03:30 AM

тАО06-18-2008 03:30 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

When you use tcpdump directly over an interface, the message will be taken before it is reassembled by IP layer.
So if you have ip fragmented traffic - like NFS over UDP for instance- tcpdump will get only 1 fragment of the full message causing that error message.

to avoid this type of problem use nettl in place of tcpdump

nettl -tn all -e NS_LS_IP -f /myoutputfile

nettl -tf -e all to stop the tacing
If you lose messages you can lower the copyed part using -m 80. - if only heade is interesting for you-
then for facility use wireshark to read the file
- or netfmt if you prefer command line-.



0 Kudos
Reply
yao_4
Occasional Contributor

тАО06-18-2008 11:02 PM

тАО06-18-2008 11:02 PM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

tcpdump -h
tcpdump version 3.9.8
libpcap version 0.9.8

tcpdump -s 0 and 20000 make no difference
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО06-19-2008 01:51 AM

тАО06-19-2008 01:51 AM

Re: what the meaning of IP truncated-ip - 6760 bytes missing!?

you may want to remove those messages.
A filter like `ip[6:2] & 0x1fff = 0' should remove all fragments. and will keep only the first fragment when fragmented, avoiding such message I guess. - depending where the test is made-
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.