[Guy Harris <guy@xxxxxxxxxxxx>]

On Nov 3, 2003, at 5:43 PM, MH wrote:

> My point was that truncation would not be a problem.  Not
> that truncation could not occur.  Most, if anything that is
> truncated with a snaplen of 1500 is part of a file xfer or
> padding.

Unless you're capturing, for example, directory-reading NFS or SMB 
traffic.

But it's probably rare that a snaplen of 1500 is the right snaplen - 
you probably either need less traffic than that, or you really *do* 
need the whole packet, or you're trying to diagnose a problem and don't 
yet know how much you need.

> Remember, Dario was capturing OSPF.  Are you going to tell
> me that most OSPF packets are going to exceed 1500 bytes or even come
> close?
>
> It just seemed to me that my post was *corrected* due to nit-picking
> than an effort to help Dario solve his problem.

I wanted to make sure nobody misread your message and inferred that a 
snapshot length of 1500 would *never* cause truncation problems, or 
that it was the appropriate snapshot length to capture full Ethernet 
packets.  A reply might be intended to answer a particular question, 
but people reading the thread containing the reply might take hints 
from it.