Hello.
I'm monitoring an Ethernet link with tcpdump-3.9.4.
I've read that when packets are generated by the same machine as tcpdump
is run, those packets may be smaller than the minimum ethernet frame
lenght, which is of 64 bytes. AFAIK, this is because the kernel "sends"
the packets to pcap before adding the needed padding to send them out to
the internet.
I understand this so far, and I'm not surprised to get packets of 42 or
60 bytes generated by my machine. But what's is very strange is that
everytime I make a capture session with tcpdump I get *many* packets of
60 bytes that are not originated in my own machine nor are them sent to it.
Here's an example of the output of tcpdump:
$ tcpdump -c5 '(host not 193.145.45.234 && len < 64)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:23:12.896879 802.1d config 802c.00:08:21:23:f0:80.800f root
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15
14:23:13.207367 arp who-has efpc266.upf.es tell telecom.upf.es
14:23:13.207963 arp who-has efpc148.upf.es tell telecom.upf.es
14:23:14.895948 802.1d config 802c.00:08:21:23:f0:80.800f root
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15
14:23:16.895997 802.1d config 802c.00:08:21:23:f0:80.800f root
8000.00:07:0d:52:f4:2c pathcost 8 age 2 max 20 hello 2 fdelay 15
$
Could anyone explain me the reason for that behaviour?
Thanks.
*david
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
