Reputation: 63
How to stop tcpdump from truncation http payload?
I'm trying to do a capture and am seeing half the payload with '[!http]' half way through. Is there a way to make it show the whole payload?
I'm performing a REST call and want to see what the server is receiving:
<value>0x100000</value>
</attribute>
</greater-than-or-equals>
<less-than-or-equals>
<attribute id="0x129fa">
[!http]
16:34:06.549662 IP (tos 0x0, ttl 255, id 49564, offset 0, flags [DF], proto TCP (6), length 1301)
I'm using:
tcpdump -vvv -i ens192 tcp port 8080 and src 192.168.1.1
Any help would be appreciated.
Many Thanks
Frank
Upvotes: 1
Views: 6265
Answers (1)
Reputation: 16331
It is quite likely that the problem has less to do with what you are capturing and more to do with the payload being larger than a single packet.
When you run tcpdump, these days, the default is to capture packets whose length match the MTU of your interface (at least). You can override this, if you are unsure, by specifying a capture length of zero:
tcpdump -s 0 -w captureFile.cap
Again, this is likely not the problem here. It is more likely that the rest of the data is in the next TCP segment. Unfortunately, tcpdump is not the ideal tool for extracting session data. I would suggest that you look at Wireshark (or tshark) which will allow you to easily select a packet and then reassemble the data stream with all of the IP and TCP headers removed.
Upvotes: 2
Related Questions
- Not able to get the required HTTP headers in tcpdump
- How to resolve tcpdump dropped packets?
- Force TCPDump to write in PCAP instead of PCAP-NG format
- tcpdump / wireshark capturing problems
- tcpdump output chunk size
- how to capture only http with tcpdump with linux
- Is tcpdump reliable? Why there are so many packets with length 0?
- tcpdump : Match exact packet length
- Reading tcpdump header length command
- Capturing HTTP packet body through tcpdump