I am writing an application which work with network. To perform some tests I need to reproduce the flow which I had a day before. But at the same time it is not allowed to stop the current working listener. I also cant rewrite existing program in order to save the incoming flow. In order to solve my task I decided to use tcpdump.
I run tcpdump on the destination machine with the command:
tcpdump -w capture.cap -n "dst host host.domain.com and port 5555"
When I read the capture.cap with tcpick or with scapy. I can see that all the useful data which was longer then 1472 bytes is truncated to be with the length 1472. But in the header it is still written the original length of packet.
As I can judge, UDP packet splits for the several and then concatenated again. But tcpdump probably filter out all packages without header (which should appear only in the first packet)
Is there any way to dump full UDP packages?
Best Answer
If an IP packet is bigger than the MTU of the network link on which the packet is being sent, IP will fragment it into IP packets that can fit on the network; that's done by the IP layer, not the UDP layer.
The MTU of an Ethernet is normally 1500 bytes (the maximum Ethernet packet size is 1518, which includes 14 bytes of header, 1500 bytes of payload, and 4 bytes of FCS). An IPv4 header is 20 bytes if it has no options, and a UDP header is 8 bytes, so the maximum UDP payload size is 1500-28 = 1472.
So IP splits the packet into two or more fragments, and reassembles them on the receiving machine.
See the related question for a discussion of why tcpdump isn't capturing any fragments other than the first fragment.