tcpdump truncates to 1472 bytes useful data in UDP packets during the capture

Question

I am writing an application which work with network. To perform some tests I need to reproduce the flow which I had a day before. But at the same time it is not allowed to stop the current working listener. I also cant rewrite existing program in order to save the incoming flow. In order to solve my task I decided to use tcpdump.

I run tcpdump on the destination machine with the command:

tcpdump -w capture.cap -n "dst host host.domain.com and port 5555"

When I read the capture.cap with tcpick or with scapy. I can see that all the useful data which was longer then 1472 bytes is truncated to be with the length 1472. But in the header it is still written the original length of packet. As I can judge, UDP packet splits for the several and then concatenated again. But tcpdump probably filter out all packages without header (which should appear only in the first packet)

Is there any way to dump full UDP packages?

Related: http://stackoverflow.com/questions/16897319/libpcap-cant-capture-ip-fragments/19835734#19835734 http://stackoverflow.com/questions/7522487/using-tcpdump-to-capture-a-specific-port-when-udp-message-can-be-fragmented — Barmar, Nov 20 '14 at 17:17
I think you're also going to be missing them because the fragmented packets don't have the full header, and won't have the UDP port number in it. So, filtering on the UDP port won't work. — NickW, Nov 20 '14 at 17:24
@NickW Thanks NickW! That was the problem when I was trying to analyze the content of pcap file with Python. — Gavelock, Jul 20 '15 at 15:43

score 12 · Accepted Answer · answered Nov 20 '14 at 17:25

If an IP packet is bigger than the MTU of the network link on which the packet is being sent, IP will fragment it into IP packets that can fit on the network; that's done by the IP layer, not the UDP layer.

The MTU of an Ethernet is normally 1500 bytes (the maximum Ethernet packet size is 1518, which includes 14 bytes of header, 1500 bytes of payload, and 4 bytes of FCS). An IPv4 header is 20 bytes if it has no options, and a UDP header is 8 bytes, so the maximum UDP payload size is 1500-28 = 1472.

So IP splits the packet into two or more fragments, and reassembles them on the receiving machine.

See the related question for a discussion of why tcpdump isn't capturing any fragments other than the first fragment.

so is there a way to capture and re-assemble the full UDP packet > 1500 bytes? — MK., Sep 10 '20 at 16:35

score 0 · Answer 2 · answered Nov 21 '14 at 02:12

0

Using -s 0 ensures that the entire packet/frame is captured. If it's fragmented then you will know from analyzing the dump.

Try wireshark for a GUI analyzer of the pcap data. It will colorize the output etc.

answered Nov 21 '14 at 02:12

blondie

1

This is not actually a problem. The new versions of tcpdump use -s 0 by default, which means capture size 65535 bytes. – Gavelock Nov 21 '14 at 17:54

tcpdump truncates to 1472 bytes useful data in UDP packets during the capture

2 Answers2