Ethereal-users: Re: [Ethereal-users] tethereal vs tcpdump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: MH <procana@xxxxxxxxxxxxxx>
Date: Mon, 3 Nov 2003 18:33:10 -0500
Hi Guy,

A snaplen of 1500 is not going to cause truncation problems.
Depending on the ethernet frame-type, the snaplen might even be 1518 or even
1522 bytes.
Or if he is capturing on a token-ring network ... ;) 

He could also specify -s 0 instead of -s 65535 to capture the full packet.

Older versions of the tcpdump man page even use
a snaplen of 1500 in given examples. 

I can appreciate exactness/correctness but not nit picking.

Give me a break,
Mike

On Mon, 2003-11-03 at 15:18, Guy Harris wrote:
>> On Nov 3, 2003, at 6:58 AM, MH wrote:
>> Try tcpdump -s 1500 -w your_pcap.cap ip[21]==89
> No, "-s 1514" 
> - the snapshot length is the length of the entire packet, 
>  including the link-layer header.But "-s 65535" works as well, 
> and you don't have to worry about the maximum packet size of particular network types.