[SOLVED] Wireshark : Packet size limited during capture


Wireshark and tcpdump are the two of the most useful tools in debugging a certain issue. Every now and then I use tcpdump to capture network packets in linux or unix platform and use wireshark to analyze the captured packets. I can’t imagine myself debugging network related issues without those two tools, it will be crawling in the dark =)

Recently we have an issue pertaining to HTTP transactions and I have to use tcpdump to capture the packets to see the exact data send out to our server. I got the  tcpdump with the http transaction however in wireshark I got a message with “Packet size limited during the capture“, you can see below screenshot.

You can see my full article at below article.



Multi-homed host

Posted in NETWORKING/IP ROUTING by edeguzman on September 17, 2008

If you had multiple LAN interface in your PC and want to connect to a multiple LAN without losing you internet connection. Then this is will be a guide for you.

* First configure your interfaces with the necessary IP addresses.
* Second set up one of your interfaces to have the default route. Note this   will be interface that you want to connect to your Internet.
* Third set up the other interface to have a static route entry pointing to its
nexthop (usually the router) and leave its default gateway blank.
* 4th verify connections. Issue an ICMP request (using ping) to your default
gateway and to the nexthop IP address.

My case was different. We had here two internet connections, the 1st connection was within the private LAN and other connection was for public used. Both connection is connected to different squid cache and has different firewall configuration on it. My internet connection was connected to the first connection but there are sites that I want to access in which they were being blocked. That’s why I need the second connection
just for internet use and the other connection for intranet use.

And the above procedure works fine for me. Command for configuring static entry.

route add mask

If DHCP is used to assign IP addresses on the LAN, the DHCP server should be configured to not provide a default gateway.

Community no-export for the advertising route in BGP

Posted in NETWORKING/IP ROUTING by edeguzman on October 20, 2007

This configuration shows how to set a community attribute of no-export to your advertising route. Perhaps that you want that your route will only be given to your neighboring AS and you don’t want that route to be advertised to another AS. Basically it is just telling your neighboring that this route is only for you and you should adverstised to other AS. This is done by setting the community attribute no-export your advertising route. Below is the configuration.

router eigrp 100

passive-interface Serial0/0


no auto-summary


router bgp 100

bgp log-neighbor-changes

aggregate-address attribute-map ORIGIN suppress-map VERMONT

redistribute eigrp 100

neighbor remote-as 200

neighbor send-community

neighbor route-map COMMUNITY out


ip classless

ip route Null0

ip http server


access-list 1 permit

access-list 1 permit

access-list 101 permit ip host host

route-map ORIGIN permit 10

set origin incomplete


route-map COMMUNITY permit 10

match ip address 101

set community none


route-map COMMUNITY permit 20

set community no-export


route-map VERMONT permit 10

match ip address 1


The configuration shows that the router is advertising an aggregated route which has attribute-map and suppress-map. I will break down this configuration into pieces,

Aggregate-address , this command triggers an aggregated route to be advertised to the neighboring AS.

Attribute-map, this command sets attribute to the advertising aggregated route. The ORIGIN in the configuration is a route-map calling function which it will set the attribute. The ORIGIN route-map I specify in my configuration simply changing the default origin into incomplete.

Suppress-map, this command specifies a more specific route to be included in the advertising route. Of course a matching access list should be followed.

Notice in my configuration the command neighbor route-map COMMUNITY out, this specifies a route-map calling function for COMMUNITY. The route-map under the COMMUNITY will match all the conditions. There area two route maps for COMMUNITY, the sequence 10 route map for COMMUNITY will be the first one to be process. It will match the access list 101 specified and if there’s a match it will set a none attribute for that route. If there’s no match it will go to the sequence 20 route map for processing, this will right away set the attribute of no-export community for the route entry.

BGP : Blocking a route entry to the Aggregating Address

Posted in NETWORKING/IP ROUTING by edeguzman on October 8, 2007

Suppose that there’s a route entry that has a community attribute of no_export or should I say that there’s a route entry that you don’t want to be part of the aggregating address. There’s a lot of reason on why you might consider a route entry to be not a part of the aggregating address. One reason is a route entry can have a different attribute that you want to preserve, like in an instant a route entry can have a community attribute of no_export in which this attribute is essential because it tells the router that a route entry having no_export should not be advertise in different AS. That’s why its not a good idea having that route entry to be part of the aggregating address.

Below is the sample configuration during my laboratory. I also observed the packet in the wire.

router bgp 200

aggregate-address as-set summary-only advertise-map AllowRoute

neighbor remote-as 500

neighbor remote-as 400

neighbor remote-as 300

neighbor remote-as 100


ip classless

no ip http server


access-list 1 deny

access-list 1 permit any

route-map AllowRoute permit 10

match ip address 1


Observe that in my configuration there is an access-list in which it denies the route entry of and permit any route entry other than Basically this is the route entry is the one that I don’t want to be part of the aggregating address.

There is also a route-map in my configuration, because this route-map is being called in the BGP process, if you see the advertise-map AllowRoute that is the calling function for the route-map. Basically in the route-map it just matches the access-list for all the routes that is being advertised for the neighboring peer. Now if there’s a route entry for this will be blocked in access-list and not be advertised. This is just a simple way of doing it. There is a lot of ways of doing it especially to a large scale network.

BGP feature’s configuration

Posted in NETWORKING/IP ROUTING by edeguzman on October 6, 2007

Neighbor description – can be entered under an interface configuration. This is helpful because when the BGP configuration is already elaborate, this will serve you a reminder of who and where each neighbor. Can obtain to 80 characters.

Sample config:
Neighbor remote-as 500
Neighbor description ———–T1 to mynetwork.

Neighbor Password – two peers can have an authentication with password. Cisco IOS uses MD5 authentication when a neighbor password is configured.

Sample config:
Neighbor remote-as 500
Neighbor password

Neighbor advertisement-interval – this will change the default BGP update interval to a specified between 0 and 600 seconds. But this is not advisable to change the default unless you know the consequences. This is useful when there is large updates receiving in the neighbor. Convergence time will greatly affect changing this time.

Sample config:
Neighbor remote-as 500
Neighbor advertisement-interval

Neighbor version – when a neighboring peer cannot support the BGP-4. This command will negotiate to have its version be lower to compensate the version of the other peer.

Sample config:
Neighbor remote-as 500
Neighbor version

Neighbor maximum-prefix – this will limit the number of prefixes that a router will receive fro the neighboring peer. If the limit is exceeded then router closes the BGP session and cannot re-established its peer.

Sample config:
Neighbor remote-as 500
Neighbor maximum-prefix

Another config:
Neighbor remote-as 500
Neighbor maximum-prefix 90 warning-only
This configuration will not close the BGP session but instead it will cause the router to generate log message. When the 90% of the maximum-prefix was reached it will then cause to log a message.

Neighbor shutdown – this will shutdown the neighbor connection in that sense there will be no TCP connection between the neighbor. This is useful when you only want to temporarily disconnect your peer.

Sample config:
Neighbor remote-as 500
Neighbor shutdown

Timers bgp – this command will change the default time for keepalive and holddown intervals. The default time interval for keepalive is 60 seconds and holddown interval is 180 seconds. This command is useful if you want a fast detection of the unreliable peer. This command is necessary configured to every peer in the AS. Because there is still negotiation occur on the process of building an established state of the peer.

Sample config:
Neighbor remote-as 500
Timer bgp

When there is changes done to BGP process, a reset connection is must be done to be able have an update BGP route that is affected by the changes in the BGP process. Below are the useful commands for resetting the BGP connection.

Clear ip bgp * – this command is issue in the privileged mode. This command will reset all of the router’s BGP connections.

Clear ip bgp – this command will reset connection to the neighbor

Clear ip bgp mygroup – this command will reset the connection to all members of the peer group name mygroup.

Resetting a connection will cause a Cease notification be sent to the neighbor. In that sense the TCP connection is closed and BGP routes will be then a withdrawn routes. A new BGP connection will be then be established. Resetting the whole connection will cause a serious consequences to the network. Reset only the affected neighbor to avoid possible problems in the network.

Cisco provides another way in resetting the connections. This alternative way will not tear down the TCP and BGP connection. This command will only cause a trigger update for the affected changes. Triggered update for this command can happened for outbound, inbound or both. Outbound is the out going traffic while the inbound is the incoming traffic. Below is the sample config.

Clear ip bgp soft out – if you done a changes in your BGP process and the neighbor is affected to the changes you made, use this command to cause and trigger update for that neighbor. This is an outbound type.

The configuration for inbound is different thing, because you need to configured in the BGP process the command neighbor x.x.x.x soft-configuration inbound before inbound command is used. Take not inbound is used when you done changes to your BGP process that affects the incoming traffic. The command clear ip bgp soft in is then used for every neighbor that is affected in the changes. For both inbound and outbound the command clear ip bgp x.x.x.x soft.

There is a drawback for using the soft reconfiguration, it uses a router’s memory to stored its updates for the inbound.