Wireshark-users: Re: [Wireshark-users] tcpdump command to capture https traffic

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 19 Jul 2007 09:38:25 -0700
Kaushal Shriyan wrote:
is it better to run tcpdump -i eth0 -s 0 -w dump host 192.168.0.1 <http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and port 443
or instead tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1 <http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and port 443 

which is the best method
Assuming you're using tcpdump 3.6 or later (as per my earlier mail, 3.4[.x] and 3.5[.x] don't support "-s 0"):
Given that the "snapshot length" includes the link-layer header - i.e., it's *NOT* the MTU - a snapshot length of 1500 will cut off the last 14 bytes of a full-length 1514-byte Ethernet packet. Therefore, "-s 0" is better than "-s 1500". 

It's also better than "-s 1514", because
1) it works on all interfaces, regardless of the maximum packet size (i.e., you don't have to know the maximum packet size of an interface if you just use "-s 0"); 

	2) it's 3 fewer characters to type. :-)