How can I see the full snaplen capture using tcpdump?

tcpdump
Simon Chiang picture Simon Chiang · Jul 22, 2011 · Viewed 18.3k times · Source

I can't seem to see all the data of a capture when using tcpdump. Specifically I seem to be missing 6 bytes off of the head of the frame and I'm wondering if anyone can explain why.

To illustrate, I setup a Ubuntu instance on VMWare in a host-only network configuration. To generate traffic I ping the VMWare gateway... in my case:

$ ping 192.168.153.1

Now to capture and print the data:

$ tcpdump -i eth0 -x -s 64
...
10:23:24.419067 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 137, length 64
    0x0000:  4500 0054 2313 4000 4001 63bf c0a8 9901
    0x0010:  c0a8 9984 0000 af80 0b8f 0089 0cb2 294e
    0x0020:  1d64 0600 0809 0a0b 0c0d 0e0f
10:23:25.418807 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 138, length 64
    0x0000:  4500 0054 0000 4000 4001 86d2 c0a8 9984
    0x0010:  c0a8 9901 0800 df7f 0b8f 008a 0db2 294e
    0x0020:  e463 0600 0809 0a0b 0c0d 0e0f

As expected at this point the total number of bytes show is not 64; the data-link headers are hidden and the IP bytes are the first ones to appear, ie '4500'. To display the data-link header bytes I add another x.

$ tcpdump -i eth0 -xx -s 64
...
10:29:29.523043 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 501, length 64
    0x0000:  000c 292a 4f6c 0050 56c0 0001 0800 4500
    0x0010:  0054 b305 4000 4001 d3cc c0a8 9901 c0a8
    0x0020:  9984 0000 007d 0b8f 01f5 79b3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f
10:29:30.522884 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 502, length 64
    0x0000:  0050 56c0 0001 000c 292a 4f6c 0800 4500
    0x0010:  0054 0000 4000 4001 86d2 c0a8 9984 c0a8
    0x0020:  9901 0800 f77b 0b8f 01f6 7ab3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f

Now more bytes are shown. I think they are the 14 bytes of the ethernet frame header (dest,source MAC + ethertype = 14 bytes). Correspondingly the IP header now starts 14 bytes down the line.

But why are there still 6 bytes missing? Notice that only 58 bytes are shown - I was expecting to 64 bytes to be visible.

Answer

Udit Gupta picture Udit Gupta · Nov 28, 2011

Try using tcpdump with -s0

I tried this and it worked for me .. (It is only an example you just need -s0)

tcpdump -X -s0 port 21

Related questions

Can I use tcpdump to get HTTP requests, response header and response body?

I am using tcpdump to get HTTP data by executing the below command: sudo tcpdump -A -s 1492 dst port 80 The result of above command: Headers, I think request and response headers. Unreadable data. The url GET /modules/mod_news_pro_…

Read More
Monitor network activity in Android Phones

I would like to monitor network traffic of my Android Phone. I was thinking using tcpdump for Android, but I'm not sure if I have to cross-compile for the phone. Another question is the following, If I want to monitor …

Read More
How can I have tcpdump write to file and standard output the appropriate data?

I want to have tcpdump write raw packet data into a file and display packet analysis in standard output as the packets are captured (by analysis I mean the lines it displays normally when -w is missing). Can anybody please …

Read More