On Nov 30, 2010, at 10:35 PM, Mali Shternhell wrote: > Hi, Thanks for the response. > my question is why tcpdump doesn't parse the large snmp response packet > as it does for the typical response packet.
Because the SNMP printer routine that parses an ASN.1 BER item will quit if the length of the item is less than the amount of *captured* packet data available, and you captured with "-s 200", so any data past the first 200 bytes of the packet data were discarded. > Can you say if it possible for tcpdump to present the message type and > oid in case of large snmp packets Try capturing with "-s 0" to capture the entire packet, and see if that works. If it doesn't, the packets might be fragmented at the IP layer, and tcpdump would have to be changed to do IP reassembly, or the SNMP printer would have to be changed so that, for example, it only does the bounds checking for primitive types (*if* that's sufficient to keep it from walking past the end of the packet). - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
