Ethereal-users: Re: [Ethereal-users] tethereal vs tcpdump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 3 Nov 2003 12:18:23 -0800

On Nov 3, 2003, at 6:58 AM, MH wrote:

Try tcpdump -s 1500 -w your_pcap.cap ip[21]==89

No, "-s 1514" - the snapshot length is the length of the entire packet, including the link-layer header.

But "-s 65535" works as well, and you don't have to worry about the maximum packet size of particular network types.