On Nov 8, 2007 5:18 AM, Irfan Ahmed <ahm_irf@xxxxxxxxx> wrote: > > I am capturing the packets by using TCPDUMP on Linux fedora kernel 2.6.18.1 > > when I have extracted the payload from packets I found out that the actual > payload is of just 30 bytes out of 1448 bytes and rest of the payload is > padded with zeros > > any idea why this is happening ..... Use the flag "-s 0" to capture full packets. >From the tcpdump manpage: -s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOSâs NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ââ[|proto]ââ, where proto is the name of the protocol level at which the trunction has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets. Cheers, Lucas. -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
