Hi Dario, Try tcpdump -s 1500 -w your_pcap.cap ip[21]==89 This will capture the full packets. By default, tcpdump will only capture 68 bytes of the packet. man tcpdump will explain the snaplen (-s option).
Hope this helps, Mike On Mon, Nov 03, 2003 at 11:36:17AM +0100, Dario Lombardo wrote: > Hi guys > I experienced this problems some days ago using tcpdump and tethereal. > I made a capture with tcpdump in order to get OSPF packets. My filter > was ip[21]==89. I saved my data into a pcap file, but when I opened it > with ethereal I found many packets marked [Short frame], and effectively > they where truncated. I made the same capture with tethereal (same > options) and I got a different result: the packets where captured > correctly, at full lenght. > These are my versions: > > Red Hat Linux release 8.0 (Psyche) > tcpdump-3.6.3-17.8.0.3 > ethereal-0.9.13-1.80.1 > libpcap-0.6.2-16 > > Any idea? > > -- > Dario Lombardo > Centro Sicurezza Be-Secure > Telecom Italia LAB > > > > > ==================================================================== > CONFIDENTIALITY NOTICE > This message and its attachments are addressed solely to the persons > above and may contain confidential information. If you have received > the message in error, be informed that any use of the content hereof > is prohibited. Please return it immediately to the sender and delete > the message. Should you have any questions, please contact us by > replying to [EMAIL PROTECTED] Thank you > ==================================================================== > > _______________________________________________ > Ethereal-users mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-users
