[tcpdump-workers] Radius
Hello,
i got a question about tcpdumping radius packets.
in some auth-replies iam missing some attributes but instead of them i
can see at the end of a tcpdump line the following:
"[|radius]"
what does this exactly mean?
f.e.:
---
12:58:05.215548 x.x.x.x.1645 > x.x.x.x.1645: rad-access-accept 217 [id 14]
Attr[ Framed_ipaddr{10.10.10.10} [|radius]
---
normaly i can see a lot of more output:
---
13:14:56.867709 x.x.x.x.1645 > x.x.x.x.1645: rad-access-accept 38 [id 37]
Attr[ Framed_ipaddr{11.1.1.11} Framed_proto{PPP} Service_type{Framed} ]
---
does somebody have an idea?
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Radius
On Nov 16, 2004, at 1:08 PM, jesk wrote: in some auth-replies iam missing some attributes but instead of them i can see at the end of a tcpdump line the following: "[|radius]" what does this exactly mean? It probably means that either 1) the RADIUS packet didn't fit in a single link-layer packet (and was thus fragmented at the IP layer) or 2) the RADIUS packet didn't fit within the "snapshot length" used for the capture. The default snapshot length for tcpdump is 68 for versions of tcpdump that don't support IPv6 and 96 for versions of tcpdump that do support IPv6, so, unless you specify a larger snapshot length with the "-s" flag, RADIUS packets that don't fit within 68 or 96 bytes (depending on whether the version of tcpdump you're using was built with IPv6 support or not) will get an |radius report. In modern versions of tcpdump, "-s 0" requests a snapshot length of 65535, which should be sufficient to handle all link layers supported by tcpdump. In older versions, you'd have to do "-s 65535". (Don't try to use the MTU of the network - using 0 or 65535 is easier, and more likely to be large enough; for example, note that "-s 1500" is *NOT* large enough for Ethernet, as the snapshot length includes the link-layer header, so it'd have to be "-s 1514".) - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Radius
On Nov 16, 2004, at 1:08 PM, jesk wrote: in some auth-replies iam missing some attributes but instead of them i can see at the end of a tcpdump line the following: "[|radius]" what does this exactly mean? It probably means that either 1) the RADIUS packet didn't fit in a single link-layer packet (and was thus fragmented at the IP layer) or 2) the RADIUS packet didn't fit within the "snapshot length" used for the capture. The default snapshot length for tcpdump is 68 for versions of tcpdump that don't support IPv6 and 96 for versions of tcpdump that do support IPv6, so, unless you specify a larger snapshot length with the "-s" flag, RADIUS packets that don't fit within 68 or 96 bytes (depending on whether the version of tcpdump you're using was built with IPv6 support or not) will get an |radius report. In modern versions of tcpdump, "-s 0" requests a snapshot length of 65535, which should be sufficient to handle all link layers supported by tcpdump. In older versions, you'd have to do "-s 65535". (Don't try to use the MTU of the network - using 0 or 65535 is easier, and more likely to be large enough; for example, note that "-s 1500" is *NOT* large enough for Ethernet, as the snapshot length includes the link-layer header, so it'd have to be "-s 1514".) - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. Ah thanks for the reply and the answer of my question, this explains everything :) kind regards, Christian - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
