Andreas Heise wrote:
Hi Klaus,
please try again with "tcpdump port 5060 -s 1600 -v" with -v the message seems to be only decoded if the ip packet is complete (-s 1600).
Tested with tcpdump version 3.9.5, libpcap version 0.9.5 on Debian.
# tcpdump port 5060 -s 1600 -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1600 bytes 01:03:48.001623 IP (tos 0x0, ttl 120, id 14327, offset 0, flags [none], length: 693) 80-121-18-58.adsl.highway.telekom.at.51401 > sip.at43.at.sip: [udp sum ok] UDP, length: 665 01:03:48.002965 IP (tos 0x10, ttl 64, id 1892, offset 0, flags [DF], length: 399) sip.at43.at.sip > 80-121-18-58.adsl.highway.telekom.at.51401: [udp sum ok] UDP, length: 371
# tcpdump -V tcpdump version 3.8.3 libpcap version 0.8.3
probably my tcpdump is too old (debian sarge)
thanks anyway klaus