Hi.
Thanks for the informations.
I've quickly check it at home and I think the problem come from this.
I've look a the capture size compare to the real size of the packet and yes
paquet captured with tcpdump are trunked ! We must used the -s 0 or -s 65635
option.
I'll check tommorow if H323 decoding is correct in this way.
Really thanks to all of you.
I also must congratulation the people who has work on tcpdump and
ethereal. These tools are really great. The last thing I've discover
regarding tcpdump is the possibility to make progressive filtering on a raw
dump.
Let me explain. Use the followig command
tcpdump [-i <interface>] [-c <packet_count>] -s 0 -w file.sniff
This file will contain the complete dump of all that append on the
network
If you're only interessted by some part of this file (to send dump to
distinct network support) use this :
tcpdump -r file.sniff <filter_1> -w select_dump_1.sniff
tcpdump -r file.sniff <filter_2> -w select_dump_2.sniff
...
It's really great and only a well thinked program can do this.
Great job and congratulation.
JB
----- Original Message -----
From: "Guy Harris" <guy@xxxxxxxxxx>
To: "BUYCK Jacky FTRD/DMI/CAE" <jacky.buyck@xxxxxxxxxxxxxxxxxxxx>
Cc: <ethereal-users@xxxxxxxxxxxx>; <jacky.buyck@xxxxxxxxxx>
Sent: Thursday, March 13, 2003 7:09 PM
Subject: Re: [Ethereal-users] Difference between TCPDump capture file and
Ethereal capture file
> On Thu, Mar 13, 2003 at 06:04:48PM +0100, BUYCK Jacky FTRD/DMI/CAE wrote:
> > Is there a difference between a file capture byt the following command :
> > tcpdump -w file
> > and a dump capture throught ethereal ?
>
> Yes.
>
> If you run
>
> tcpdump -w file
>
> to do a capture, the packets will be truncated to the default tcpdump
> "snapshot length", which is typically 68 bytes if tcpdump wasn't built
> with IPv6 support or 96 bytes if tcpdump was built with IPv6 support.
> Only the first 68 or 96 bytes of the packet (depending on the default)
> will be saved in the capture.
>
> If you use Ethereal to do a capture, and don't turn on the "Limit each
> packet to {N} bytes" option ("N" defaults to 68), the entire packet will
> be saved in the capture file.
>
> > Why interpretation is not the same in both ???
>
> Probably because tcpdump doesn't, by default, save the entire packet.
> Check whether any of the packets dissected differently have different
> "bytes on wire" and "bytes captured" values in the "Frame N" line of the
> detailed dissection in the middle pane in the tcpdump capture - if
> "bytes captured" is less than "bytes on wire" in the tcpdump capture,
> that's the problem.
>
> > Does the 'tcpdump -w file' doesn't capture all the packet length ?
>
> No, it doesn't. If you want to do that, you'd have to do
>
> tcpdump -s 65535 -w file
>
> or, in recent versions of tcpdump:
>
> tcpdump -s 0 -w file
>
> (in recent versions of tcpdump, a snapshot length of 0 means "make the
> snapshot length 65535").