Sunday, January 20, 2013

TCPDUMP - Packet size limited during capture HTTP truncated

In Linux environment, if you want to use command base to capture network packets, you can use the following command with TCPDUMP

tcpdump -i eth0 -w out.pcap

The above command will dump network packet for network interface eth0 to a file call out.pcap. This file is a pcap format which you can open by Wireshark.

The above command will use a default capture size of 96 bytes and the benefit of this is to create a small output file. However, the downside is that certain large packet information will be lost and you may not see a complete picture of network communication. Especially in Wireshark, such situation will display with a message "Packet size limited during capture HTTP truncated" for large packet

To solve this issue, use the following command

tcpdump -i eth0 -w out.pcap -s 0

-s 0 flag tell tcpdump to capture packet at original size (65535 bytes). And, this will create much larger output file.

No comments:

Post a Comment