While running tcpdump-2002.08.08 in -X (hex+ascii) mode for IP-traffic (TCP port 23 - telnet) I was a bit frustrated by seeing the hexdump actually being larger than the IP-packet. After looking through the tcpdump sources I noticed that the hexdump always dumps the whole Ethernet frame's payload.
While this is understandable and acceptable, the fact that the data "outside" of the actual IP packet seems to be dependent on the real IP packet's payload is a bit surprising. This can be seen in the tcpdump output below: root@foo# ./tcpdump -enlX -v -s 128 port 23 21:32:13.985791 0:e0:29:22:dc:c2 0:4:76:29:68:d9 0800 60: IP (tos 0x10, ttl 64, id 25741, len 41) 192.168.2.98.1366 > 192.168.2.90.23: P [tcp sum ok] 33:34(1) ack 29 win 32120 (DF) 0x0000 4510 0029 648d 4000 4006 5025 c0a8 0262 E..)d.@[email protected]%...b 0x0010 c0a8 025a 0556 0017 6638 db56 a186 be71 ...Z.V..f8.V...q 0x0020 5018 7d78 a451 0000 616f 0000 616f P.}x.Q..ao..ao ^ ^ replicated here... ^ last byte of IP packet The Ethernet frame is 60 bytes, the IP packet 41 bytes and 46 bytes are dumped in hex output (60 - 14). Is this how it is intended to be? It would be really nice if the extraneous (from the IP point of view) only were logged in -e mode, but after looking at the source I realise that this is probably not that easy to accomplish. Any thoughts on this? Regards, Henrik Bergstrom PS. For refernce, here is tcpdump --version output: root@foo# ./tcpdump --version tcpdump version current-cvs.tcpdump.org.2002.08.08 libpcap version 0.7 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
