tcpdump does not truncate packets

[ikuzar]

Hi all,
I try to read and truncate packets from a pcap file with tcpdump with a snaplen -s 96 before dumping it:
tcpdump -r input_file.pcap -s 96 -w output_file.pcap
But when I open output_file.pcap with wireshark, packets' length seems to be unchanged... (greater than 96, example: "165 bytes on wire, 165 bytes captured").
Does something go wrong with this syntax ? how does tcpdump work with -s option ?

Here is my environement:
Ubuntu 10.04 Linux 2.6.32-74-generic
tcpdump version 4.0.0
libpcap version 1.0.0

Thanks for your help,

Ikuzar

[stevekay]

The snaplen parameter only affects captures being read from a network interface. Using the snaplen parameter when reading from a file has no effect.

If you look in tcpdump.c you'll see the pcap_set_snaplen function is only called when doing a live capture.

[guyharris]

Presumably he wants to take a capture file captured with a large snapshot length, so that it has full packet data, and trim the packets down so that they only contain the data they care about. Wireshark's editcap can do this; it might be a useful enhancement for tcpdump as well.

But, yes, it's an enhancement; it was not something tcpdump was intended to do since the beginning, so it's not a bug that it doesn't work.

[infrastation]

I agree it would be nice to have this feature, but it has been more than 5 years. If anybody is willing to implement it, they are welcome to prepare the changes and open a pull request. Closing.