tcpdump – Packet size limited during capture [ENG]
[Due to the # of hits of this entry, I translated this to English …. my poor English xD]
I was looking why a web application was not running at all. The browser must send a request and the app should add some headers in order to login without problems … but seeing that the web application didn’t behave as expected, I decided to see what’s going on and what was sending *exactly* the browser to the app.
So, I left a “tcpdump” running in the server, and replayed the issue with the browser. When I opened the dump file with Wireshark (Ethereal fork, AFAIK), I found that too many frames got a tag “Packet size limited during capture”.
WTF?
After searching with Wireshark some strings that are supposed to exist in the HTTP request ….no luck. But I’m 100% sure that the browser is sending the string I’m searching!?
No luck. And … what’s this message “Packet size limited during capture”?
After googling for a while, it seems that older versions of tcpdump, or running tcpdump in old OSes, by default the packet size it’s truncated to 96 or 68 bytes. So, the Wireshark/Ethereal option “Follow TCP Stream” is unable to show what’s exactly going on between the broswser and HTTP server.
If we want to capture network frames full-length, you must use “-s 0” flag. (ie # tcpdump -i eth0 -w file.cap -s 0). But in tcpdump manpage they alert that this is a lot of extra work to the server. With the “-s 0” flag, the frames are captured with the original length, and we can follow the TCP stream as required.
HTH
20/October/2009 at 1:21 pm
Thanks for the tipp! 🙂
19/January/2010 at 4:32 pm
Good stuff and good barbecue
24/May/2010 at 9:20 am
Thanks, really helpful.
7/July/2010 at 11:33 pm
It does not work for me.. =/
I tried to capture trhu this command:
#tcpdump udp port 53 and host registro.br -w out.pcap -s 0
#tcpdump –version
tcpdump 3.9.4
Do you think that it only works for TCP connectios? =/
7/July/2010 at 11:53 pm
sorry it works!!! =D
8/July/2010 at 12:22 am
awesome! thanks for the great post!
8/July/2010 at 11:58 am
Wow,
I’m not very familiar to UDP, and my initial guess that this shouldn’t work (but I still cannot test that). “Follow TCP Stream” seems to be only appliable to TCP connections, despite “-s” flag is unrelated to protocol …
But luckily, it worked for you 🙂
14/July/2010 at 1:48 am
Thanks, this was really helpful.
13/August/2010 at 12:09 pm
thanks dude. very helpful tip
15/October/2010 at 6:41 pm
Thanks so much !
27/January/2011 at 10:51 pm
Useful one!
30/January/2011 at 3:33 pm
[…] sehen wir dann unter anderem „packet size limited during capture“. Wir fluchen kurz, werfen die Meldung in Google und starten tcpdump nochmal mit -s 0: # tcpdump -w /mnt/sdcard/ttrss.dmp -i rmnet0 -s 0 tcpdump: […]
7/July/2011 at 11:58 am
Thanks! Helped me too
21/August/2011 at 3:21 pm
Thanks , very helpful
1/October/2011 at 11:20 pm
thanks. i was looking for this, great help!
i’m in Oct 2011, and my gentoo box is still doing this.
7/October/2011 at 10:25 am
thanxx
14/October/2011 at 7:25 am
Thanks a lot. I was running wireshark on windows which captured everything correctly. But the customer was using tcpdump on linux and loosing packets data. Now I see why :). Thanks again.
13/November/2012 at 11:28 am
Thanks for tip it help me today 😉
6/February/2013 at 4:20 pm
God bless you man!
27/June/2013 at 8:20 am
Thanks, just what i was looking for.
29/August/2013 at 8:12 pm
thanks,
It is helpfull
8/December/2014 at 4:13 pm
Thanks for the helpful post.
22/March/2019 at 10:52 pm
I believe everything published made a lot of sense.
But, what about this? what if you added a little content?
I mean, I don’t want to tell you how to run your website,
but what if you added something to possibly get a person’s attention? I mean tcpdump – Packet size limited during capture [ENG] | Defective Electronics is kinda vanilla.
You should glance at Yahoo’s home page and watch how they create article headlines to grab people to open the links.
You might try adding a video or a related picture or two to grab people
excited about what you’ve written. Just my opinion, it might bring your blog a
little bit more interesting.