I am running tcpdump to capture UDP messages on a specific port. The UDP traffic being captured contains fragmented UDP packets.
When a fragmented UDP packet is encountered, tcpdump is only capturing the first fragment. (Probably because only the first fragment contains the port information).
Is there a switch on TCP dump that will capture all the fragments of a UDP packet even when messages from a port are being filtered?
I could be wrong but I think what you mean is how to extend the snaplen as you're only catching a snippet of the packet with tcpdump. The default snaplen is usually 68 bytes.
Setting snaplen to 0 sets it to the default of 65535 bytes so run tcpdump with "-s 0" to capture everything. Are you running with the '-s' switch?
It's recommended that you limit snaplen to the smallest number that will capture the protocol information you're interested in.
HTH!
