CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: truncated-ip on tcpdump

  1. #1
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default truncated-ip on tcpdump

    I receiving this message on tcpdump:


    truncated-ip - 418 bytes missing! and the ip


    What is this message? I'm having a problem of communication between my servers.

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: truncated-ip on tcpdump

    By default, tcpdump only catches the first 68 bytes of the frame. You have to use the -s option to get more.

    My typical tcpdump commands looks something like:

    tcpdump -nn -i eth0 -s0 host 1.1.1.1
    tcpdump -nn -i eth0 -s0 ! port 8116 and ! port 22
    tcpdump -nn -i eth0 -s0 -e host 1.1.1.1
    tcpdump -nn -i eth0 -s0 -p host 1.1.1.1


    -nn = do not resolve IPs to a hostname and do not resolve port numbers to a service names

    -i eth0 = Interface name.. on some platforms '-i any' works. But then you don't know what interface the packet came in on.

    -e = show the layer 2 header; MAC Address, protocol etc.

    -p = By default, tcpdump is in Promiscuous mode. The interfaces is told to accept all destination MAC addresses. You may want to do this by default. Run without -p to know if packets/frame you're looking for are being put on the wire. Run with -p to see if they disappear. If they vanish, run without -p and with -e to see if you're frames are being addresses to the wrong MAC (ARP table poisoning, duplicate IP, Layer 2 sticky devices etc.)

    -s 0 = Change the frame size limitation to unlimited.

  3. #3
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by alienbaby View Post
    By default, tcpdump only catches the first 68 bytes of the frame. You have to use the -s option to get more.

    My typical tcpdump commands looks something like:

    tcpdump -nn -i eth0 -s0 host 1.1.1.1
    tcpdump -nn -i eth0 -s0 ! port 8116 and ! port 22
    tcpdump -nn -i eth0 -s0 -e host 1.1.1.1
    tcpdump -nn -i eth0 -s0 -p host 1.1.1.1


    -nn = do not resolve IPs to a hostname and do not resolve port numbers to a service names

    -i eth0 = Interface name.. on some platforms '-i any' works. But then you don't know what interface the packet came in on.

    -e = show the layer 2 header; MAC Address, protocol etc.

    -p = By default, tcpdump is in Promiscuous mode. The interfaces is told to accept all destination MAC addresses. You may want to do this by default. Run without -p to know if packets/frame you're looking for are being put on the wire. Run with -p to see if they disappear. If they vanish, run without -p and with -e to see if you're frames are being addresses to the wrong MAC (ARP table poisoning, duplicate IP, Layer 2 sticky devices etc.)

    -s 0 = Change the frame size limitation to unlimited.
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?

  4. #4
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?
    Anyone?

  5. #5
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    Oh really thanks for the reply.

    Is this a problem? Am I loosing communication or packet? Or is just a output from tcpdump?
    Just the output from tcpdump.

  6. #6
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    8

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by bmolnar View Post
    Just the output from tcpdump.
    But I'm stating that a transfer from one server to another is too slow. That could be the problem?

  7. #7
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: truncated-ip on tcpdump

    Quote Originally Posted by crosspopz View Post
    But I'm stating that a transfer from one server to another is too slow. That could be the problem?
    Command parameters passed to tcpdump on a capture would have no impact on traffic thru your firewall, it just determines what traffic, packet size, etc that tcpdump is capturing for you to view/analyze.

Similar Threads

  1. can you do tcpdump on utm appliances?
    By tdvit in forum Check Point UTM-1 Appliances
    Replies: 8
    Last Post: 2008-10-25, 11:31
  2. tcpdump syntax...
    By evo22 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2008-01-15, 13:38
  3. tcpdump on SPLAT
    By dsundar in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2007-06-18, 09:39
  4. Tcpdump question?
    By klouse in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2006-08-31, 15:49
  5. Logs appear truncated
    By Barry J. Stiefel in forum SmartView Tracker
    Replies: 0
    Last Post: 2005-08-13, 23:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •