CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 7 of 7

Thread: truncated-ip on tcpdump

  1. #1
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default truncated-ip on tcpdump

    I receiving this message on tcpdump:


    truncated-ip - 418 bytes missing! and the ip


    What is this message? I'm having a problem of communication between my servers.

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: truncated-ip on tcpdump

    By default, tcpdump only catches the first 68 bytes of the frame. You have to use the -s option to get more.

    My typical tcpdump commands looks something like:

    tcpdump -nn -i eth0 -s0 host 1.1.1.1
    tcpdump -nn -i eth0 -s0 ! port 8116 and ! port 22
    tcpdump -nn -i eth0 -s0 -e host 1.1.1.1
    tcpdump -nn -i eth0 -s0 -p host 1.1.1.1


    -nn = do not resolve IPs to a hostname and do not resolve port numbers to a service names

    -i eth0 = Interface name.. on some platforms '-i any' works. But then you don't know what interface the packet came in on.

    -e = show the layer 2 header; MAC Address, protocol etc.

    -p = By default, tcpdump is in Promiscuous mode. The interfaces is told to accept all destination MAC addresses. You may want to do this by default. Run without -p to know if packets/frame you're looking for are being put on the wire. Run with -p to see if they disappear. If they vanish, run without -p and with -e to see if you're frames are being addresses to the wrong MAC (ARP table poisoning, duplicate IP, Layer 2 sticky devices etc.)

    -s 0 = Change the frame size limitation to unlimited.

  3. #3
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by alienbaby View Post
    By default, tcpdump only catches the first 68 bytes of the frame. You have to use the -s option to get more.

    My typical tcpdump commands looks something like:

    tcpdump -nn -i eth0 -s0 host 1.1.1.1
    tcpdump -nn -i eth0 -s0 ! port 8116 and ! port 22
    tcpdump -nn -i eth0 -s0 -e host 1.1.1.1
    tcpdump -nn -i eth0 -s0 -p host 1.1.1.1


    -nn = do not resolve IPs to a hostname and do not resolve port numbers to a service names

    -i eth0 = Interface name.. on some platforms '-i any' works. But then you don't know what interface the packet came in on.

    -e = show the layer 2 header; MAC Address, protocol etc.

    -p = By default, tcpdump is in Promiscuous mode. The interfaces is told to accept all destination MAC addresses. You may want to do this by default. Run without -p to know if packets/frame you're looking for are being put on the wire. Run with -p to see if they disappear. If they vanish, run without -p and with -e to see if you're frames are being addresses to the wrong MAC (ARP table poisoning, duplicate IP, Layer 2 sticky devices etc.)

    -s 0 = Change the frame size limitation to unlimited.
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?

  4. #4
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?
    Anyone?

  5. #5
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    12

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?
    Just the output from tcpdump.

  6. #6
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by bmolnar View Post
    Just the output from tcpdump.
    But I'm stating that a transfer from one server to another is too slow. That could be the problem?

  7. #7
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    12

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    But I'm stating that a transfer from one server to another is too slow. That could be the problem?
    Command parameters passed to tcpdump on a capture would have no impact on traffic thru your firewall, it just determines what traffic, packet size, etc that tcpdump is capturing for you to view/analyze.

Similar Threads

  1. can you do tcpdump on utm appliances?
    By tdvit in forum Check Point UTM-1 Appliances
    Replies: 8
    Last Post: 2008-10-25, 11:31
  2. tcpdump syntax...
    By evo22 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2008-01-15, 13:38
  3. tcpdump on SPLAT
    By dsundar in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2007-06-18, 09:39
  4. Tcpdump question?
    By klouse in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2006-08-31, 15:49
  5. Logs appear truncated
    By Barry J. Stiefel in forum SmartView Tracker
    Replies: 0
    Last Post: 2005-08-13, 23:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •