Tcpdump Packet Capture Truncated
Resolution
Overview
Tcpdump packet capture on the management interface, by default, captures 68 bytes or 96 bytes of data from each packet, depending on the platform. The PA-200, PA-500, and PA-2000 series captures 68 bytes of data from each packet. Any amount over the default gets truncated. All other platforms, which include PA-3000, PA-4000, PA-5000, PA-7000 and VM series capture 96 bytes of data from each packet. Any amount above 96 bytes gets truncated, because you might not capture the whole packet.
For example, when capturing LDAP, this message appears in the packet capture: "[Packet size limited during capture: LDAP truncated]"
> tcpdump filter "not port 22"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C120 packets captured
Resolution
From PAN-OS 6.0, tcpdump has an option to set Snapshot Length (Snaplen), which takes a value between 0-65535.
Follow these steps to set the Snaplen to 1500:
> tcpdump filter "not port 22" snaplen 1500
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
^C20 packets captured
Note: Setting snaplen to '0' means that you will use the required length to catch whole packets. In this example, it will be set to 65535 bytes. It is a good practice to limit the Snaplen to the smallest number possible to capture the protocol or packet.
> tcpdump filter "not port 22" snaplen 0
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C81 packets captured
See Also
How To Packet Capture (tcpdump) On Management Interface
owner: dreputi