Strange entry in tcpdump info for Rsyslog Message

Question

I have a problem with rsyslog.It works as a log collector for some devices. When I check with TCP dump i see bellow line is coming.

Facility user (1), Severity info (6)
    Msg: 1 2014-01-26T15:21:25.345+03:00 XXX_XXX-Node1 [|syslog]
15:21:37.526894 IP (tos 0x0, ttl 245, id 36018, offset 0, flags [none], proto UDP (17), length 708) xxx.syslog > xxx.syslog: SYSLOG, length: 680

Length is 680. Before we upgrade the remote end it was same length and it was working fine. Nothing changed except version of remote end ( log sender ) But there is a strange [|syslog] entry there and i can not see the message.

Does anybody before hit kind of issue ? Do you have any ideas why it could happen ?

Thanks Suner

score 0 · Answer 1 · answered Jan 26 '14 at 13:22

By default tcpdump does not capture the entire packet. If you read the tcpdump man page, you'll find information about the -s option, which says:

   -s     Snarf snaplen bytes of data from each  packet  rather  than  the
          default  of 65535 bytes.  Packets truncated because of a limited
          snapshot are indicated in the output  with  ``[|proto]'',  where
          proto  is the name of the protocol level at which the truncation
          has occurred...

Your output contains [|syslog], which indicates the packet was truncated. Try specifying a larger value (e.g., tcpdump -s 1500 ...).

Strange entry in tcpdump info for Rsyslog Message

1 Answers1