Palo Alto Networks Knowledgebase: Tcpdump Packet Capture Truncated

Tcpdump Packet Capture Truncated

18256
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
Mobile Network Infrastructure
Resolution

Overview

Tcpdump packet capture on the management interface, by default, captures 68 bytes or 96 bytes of data from each packet, depending on the platform. The PA-200, PA-500, and PA-2000 series captures 68 bytes of data from each packet. Any amount over the default gets truncated. All other platforms, which include PA-3000, PA-4000, PA-5000, PA-7000 and VM series capture 96 bytes of data from each packet. Any amount above 96 bytes gets truncated, because you might not capture the whole packet.

 

For example, when capturing LDAP, this message appears in the packet capture: "[Packet size limited during capture: LDAP truncated]"

> tcpdump filter "not port 22"

Press Ctrl-C to stop capturing

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

^C120 packets captured

User-added image

Resolution

From PAN-OS 6.0, tcpdump has an option to set Snapshot Length (Snaplen), which takes a value between 0-65535.

 

Follow these steps to set the Snaplen to 1500:

> tcpdump filter "not port 22" snaplen 1500

Press Ctrl-C to stop capturing

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

^C20 packets captured

 

Note: Setting snaplen to '0' means that you will use the required length to catch whole packets. In this example, it will be set to 65535 bytes. It is a good practice to limit the Snaplen to the smallest number possible to capture the protocol or packet.

> tcpdump filter "not port 22" snaplen 0

Press Ctrl-C to stop capturing

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C81 packets captured

 

See Also

How To Packet Capture (tcpdump) On Management Interface

 

owner: dreputi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm88CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language