Re: large packets parsing using TcpDump

[Guy Harris <guy () alum mit edu>]

On Nov 29, 2010, at 10:24 PM, Mali Shternhell wrote:

> I'm using TcpDump in order to capture snmp request-response messages. 
>
> When the response packet is larger than 1468 TcpDump fail to capture the
> packet

What do you mean by "fail to capture the packet"?  If you mean that the packet isn't captured at all, it obviously 
won't show up in the output of tcpdump (and would thus be hard to try to make show up in red :-)), so presumably that's 
not what you meant.

If this is over Ethernet (as I suspect it is, given that 1468 is close to 1500), a single network-layer packet can be 
up to 14 bytes of payload, 1500 bytes of data, and 4 bytes of FCS.  If that 1500-byte payload has a 20-byte minimum 
size IPv4 header plus an 8-byte UDP header, that leaves 1472 bytes; any SNMP request or response longer than 1472 bytes 
will not fit in a single IPv4-over-Ethernet packet.  If there's 4 bytes of IP options, that would be a 32-byte IPv4 
header, leaving 1468 bytes.

> (capture below, failed lines are in red)

Nothing appears to be red in your message.

Note that not everybody who might be reading your mail

        1) is running a mail program that can display colors;

        2) is running a mail program that could conveniently handle various rich text formats (RTF, HTML, etc.);

        3) is not suffering from some form of color-blindness (I'm not, but...) or even complete blindness (I don't 
know whether any screen readers tell the user what *color* the text they're reading is);

so color probably isn't the best way to indicate something in a mail message.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.