Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I see the full snaplen capture using tcpdump?

Tags:

tcpdump

I can't seem to see all the data of a capture when using tcpdump. Specifically I seem to be missing 6 bytes off of the head of the frame and I'm wondering if anyone can explain why.

To illustrate, I setup a Ubuntu instance on VMWare in a host-only network configuration. To generate traffic I ping the VMWare gateway... in my case:

$ ping 192.168.153.1

Now to capture and print the data:

$ tcpdump -i eth0 -x -s 64
...
10:23:24.419067 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 137, length 64
    0x0000:  4500 0054 2313 4000 4001 63bf c0a8 9901
    0x0010:  c0a8 9984 0000 af80 0b8f 0089 0cb2 294e
    0x0020:  1d64 0600 0809 0a0b 0c0d 0e0f
10:23:25.418807 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 138, length 64
    0x0000:  4500 0054 0000 4000 4001 86d2 c0a8 9984
    0x0010:  c0a8 9901 0800 df7f 0b8f 008a 0db2 294e
    0x0020:  e463 0600 0809 0a0b 0c0d 0e0f

As expected at this point the total number of bytes show is not 64; the data-link headers are hidden and the IP bytes are the first ones to appear, ie '4500'. To display the data-link header bytes I add another x.

$ tcpdump -i eth0 -xx -s 64
...
10:29:29.523043 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 501, length 64
    0x0000:  000c 292a 4f6c 0050 56c0 0001 0800 4500
    0x0010:  0054 b305 4000 4001 d3cc c0a8 9901 c0a8
    0x0020:  9984 0000 007d 0b8f 01f5 79b3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f
10:29:30.522884 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 502, length 64
    0x0000:  0050 56c0 0001 000c 292a 4f6c 0800 4500
    0x0010:  0054 0000 4000 4001 86d2 c0a8 9984 c0a8
    0x0020:  9901 0800 f77b 0b8f 01f6 7ab3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f

Now more bytes are shown. I think they are the 14 bytes of the ethernet frame header (dest,source MAC + ethertype = 14 bytes). Correspondingly the IP header now starts 14 bytes down the line.

But why are there still 6 bytes missing? Notice that only 58 bytes are shown - I was expecting to 64 bytes to be visible.

like image 764
Simon Chiang Avatar asked Jul 22 '11 17:07

Simon Chiang


2 Answers

Try using tcpdump with -s0

I tried this and it worked for me .. (It is only an example you just need -s0)

tcpdump -X -s0 port 21

like image 75
Udit Gupta Avatar answered Oct 21 '22 23:10

Udit Gupta


The minimum Ethernet frame size is 64 bytes. When a payload is too small, Ethernet will pad its contents. The total length value of the IP header will be used to determine where the padding starts, which will be discarded and is therefore not shown by Tcpdump.

like image 22
PRINCESS FLUFF Avatar answered Oct 22 '22 00:10

PRINCESS FLUFF