tcpdump – Packet size limited during capture [ENG]


Wireshark logo

Wireshark logo

[Due to the # of hits of this entry, I translated this to English …. my poor English xD]

I was looking why a web application was not running at all. The browser must send a request and the app should add some headers in order to login without problems … but seeing that the web application didn’t behave as expected, I decided to see what’s going on and what was sending *exactly* the browser to the app.

So, I left a “tcpdump” running in the server, and replayed the issue with the browser. When I opened the dump file with Wireshark (Ethereal fork, AFAIK), I found that too many frames got a tag “Packet size limited during capture”.

WTF?

After searching with Wireshark some strings that are supposed to exist in the HTTP request ….no luck. But I’m 100% sure that the browser is sending the string I’m searching!?

Wireshark - Packet size limited during capture

Wireshark - Packet size limited during capture

No luck. And … what’s this message “Packet size limited during capture”?

After googling for a while, it seems that older versions of tcpdump, or running tcpdump in old OSes, by default the packet size it’s truncated to 96 or 68 bytes. So, the Wireshark/Ethereal option “Follow TCP Stream” is unable to show what’s exactly going on between the broswser and HTTP server.

If we want to capture network frames full-length, you must use “-s 0” flag. (ie # tcpdump -i eth0 -w file.cap -s 0). But in tcpdump manpage they alert that this is a lot of extra work to the server. With the “-s 0” flag, the frames are captured with the original length, and we can follow the TCP stream as required.

HTH

23 Responses to “tcpdump – Packet size limited during capture [ENG]”

  1. Thanks for the tipp!🙂

  2. Good stuff and good barbecue

  3. Chaminda Says:

    Thanks, really helpful.

  4. It does not work for me.. =/

    I tried to capture trhu this command:

    #tcpdump udp port 53 and host registro.br -w out.pcap -s 0
    #tcpdump –version
    tcpdump 3.9.4

    Do you think that it only works for TCP connectios? =/

  5. sorry it works!!! =D

  6. awesome! thanks for the great post!

  7. Wow,

    I’m not very familiar to UDP, and my initial guess that this shouldn’t work (but I still cannot test that). “Follow TCP Stream” seems to be only appliable to TCP connections, despite “-s” flag is unrelated to protocol …
    But luckily, it worked for you🙂

  8. Nausher Says:

    Thanks, this was really helpful.

  9. thanks dude. very helpful tip

  10. Thanks so much !

  11. Akhilesh Khandelwal Says:

    Useful one!

  12. […] sehen wir dann unter anderem „packet size limited during capture“. Wir fluchen kurz, werfen die Meldung in Google und starten tcpdump nochmal mit -s 0: # tcpdump -w /mnt/sdcard/ttrss.dmp -i rmnet0 -s 0 tcpdump: […]

  13. Thanks! Helped me too

  14. steve ma Says:

    Thanks , very helpful

  15. an anonymous coward Says:

    thanks. i was looking for this, great help!

    i’m in Oct 2011, and my gentoo box is still doing this.

  16. thanxx

  17. Puja Verma Says:

    Thanks a lot. I was running wireshark on windows which captured everything correctly. But the customer was using tcpdump on linux and loosing packets data. Now I see why🙂. Thanks again.

  18. Thanks for tip it help me today😉

  19. God bless you man!

  20. Thanks, just what i was looking for.

  21. thanks,
    It is helpfull

  22. Thanks for the helpful post.

  23. Bong downpipe glass

    tcpdump – Packet size limited during capture [ENG] | Defective Electronics

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: