I can't seem to see all the data of a capture when using tcpdump. Specifically I seem to be missing 6 bytes off of the head of the frame and I'm wondering if anyone can explain why.
To illustrate, I setup a Ubuntu instance on VMWare in a host-only network configuration. To generate traffic I ping the VMWare gateway... in my case:
$ ping 192.168.153.1
Now to capture and print the data:
$ tcpdump -i eth0 -x -s 64
...
10:23:24.419067 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 137, length 64
0x0000: 4500 0054 2313 4000 4001 63bf c0a8 9901
0x0010: c0a8 9984 0000 af80 0b8f 0089 0cb2 294e
0x0020: 1d64 0600 0809 0a0b 0c0d 0e0f
10:23:25.418807 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 138, length 64
0x0000: 4500 0054 0000 4000 4001 86d2 c0a8 9984
0x0010: c0a8 9901 0800 df7f 0b8f 008a 0db2 294e
0x0020: e463 0600 0809 0a0b 0c0d 0e0f
As expected at this point the total number of bytes show is not 64; the data-link headers are hidden and the IP bytes are the first ones to appear, ie '4500'. To display the data-link header bytes I add another x.
$ tcpdump -i eth0 -xx -s 64
...
10:29:29.523043 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 501, length 64
0x0000: 000c 292a 4f6c 0050 56c0 0001 0800 4500
0x0010: 0054 b305 4000 4001 d3cc c0a8 9901 c0a8
0x0020: 9984 0000 007d 0b8f 01f5 79b3 294e 5cfa
0x0030: 0700 0809 0a0b 0c0d 0e0f
10:29:30.522884 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 502, length 64
0x0000: 0050 56c0 0001 000c 292a 4f6c 0800 4500
0x0010: 0054 0000 4000 4001 86d2 c0a8 9984 c0a8
0x0020: 9901 0800 f77b 0b8f 01f6 7ab3 294e 5cfa
0x0030: 0700 0809 0a0b 0c0d 0e0f
Now more bytes are shown. I think they are the 14 bytes of the ethernet frame header (dest,source MAC + ethertype = 14 bytes). Correspondingly the IP header now starts 14 bytes down the line.
But why are there still 6 bytes missing? Notice that only 58 bytes are shown - I was expecting to 64 bytes to be visible.
Try using tcpdump with -s0
I tried this and it worked for me .. (It is only an example you just need -s0)
tcpdump -X -s0 port 21
The minimum Ethernet frame size is 64 bytes. When a payload is too small, Ethernet will pad its contents. The total length value of the IP header will be used to determine where the padding starts, which will be discarded and is therefore not shown by Tcpdump.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With