Ethereal-users: Re: [Ethereal-users] tethereal vs tcpdump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 3 Nov 2003 02:42:52 -0800
On Mon, Nov 03, 2003 at 11:36:17AM +0100, Dario Lombardo wrote:
> I experienced this problems some days ago using tcpdump and tethereal.
> I made a capture with tcpdump in order to get OSPF packets. My filter 
> was ip[21]==89. I saved my data into a pcap file, but when I opened it 
> with ethereal I found many packets marked [Short frame], and effectively 
> they where truncated. I made the same capture with tethereal (same 
> options) and I got a different result: the packets where captured 
> correctly, at full lenght.

Yes, tcpdump defaults to a snapshot length of 68 bytes (if it's a
version that doesn't support IPv6) or 96 bytes (if it's a version that
supports IPv6), but Ethereal and Tethereal default to a snapshot length
of 65535 bytes (meaning "capture the entire packet").

If you want to capture the full packet with tcpdump, you have to use "-s
65535" or, in newer versions of tcpdump, "-s 0" (which means "full
length").