[Guy Harris <guy@xxxxxxxxxxxx>]

On Nov 3, 2003, at 3:33 PM, MH wrote:

> A snaplen of 1500 is not going to cause truncation problems.

On Ethereal, yes, it will.

I just did a capture with "-s 1500", and did an NFS read while it was 
running.

Many of the NFS packets were 1518 bytes on the wire (1500 bytes of 
payload, 14 bytes of header, and 4 bytes of FCS, because I was 
capturing on a device whose driver supplies the FCS to BPF).  Only 14 
bytes of header and 1486 bytes of payload were captured - the full 
payload was no captured.

> He could also specify -s 0 instead of -s 65535 to capture the full 
> packet.

...if he's using a sufficiently-recent version of tcpdump.

> Older versions of the tcpdump man page even use
> a snaplen of 1500 in given examples.

Then they either changed the semantics of "-s" (unlikely) or they had a 
bug in the man page (more likely).