Yeah, seems you're right. After upgrading to libpcap 1.2.1 I see failed sends only on packets with size of 1518 bytes, before that (with default libpcap 0.8 from Debian repository) I saw packets of >2000 bytes.
Why I cannot send such packets (of 1518 bytes) by pcap_sendpacket()? > -----Original Message----- > From: [email protected] [mailto:tcpdump-workers- > [email protected]] On Behalf Of Aaron Turner > Sent: Thursday, February 23, 2012 6:49 PM > To: [email protected] > Subject: Re: [tcpdump-workers] why I'm capturing packets larger than MTU size > > On Thu, Feb 23, 2012 at 6:31 AM, Andriy Tylychko <[email protected]> > wrote: > > I capture network traffic on Debian 5 and 6 with libpcap v. 1.2.1 > > compiled from sources. Then I send these traffic by pcap_sendpacket(). > > Sometimes there're packets (both TCP and UDP) larger than default MTU > > size (1500 bytes). I cannot send these packets with error: "send error: > > packetSendPacket failed". Found this post: > > http://seclists.org/tcpdump/2007/q2/112 "[Patch] libpcap support for > > IP fragment reassembly", but I didn't enable such reassemply. > > Open your pcap in wireshark... see what's there beyond the 1500 byte limit. I'm > going to guess it's the ethernet trailer and not re-assembled IP fragements. > Easiest to do it remove the trailer with something like tcprewrite. > > > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap > editing and replay tools for Unix & Windows Those who would give up essential > Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > "carpe diem quam minimum credula postero" > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
