Wireshark-users: Re: [Wireshark-users] tcpdump command to capture https traffic

From: "Kaushal Shriyan" <kaushalshriyan@xxxxxxxxx>
Date: Fri, 20 Jul 2007 19:20:11 +0530
Hi Guy Harris

Thanks Guy Harris :-)

Can I have online docs to understand TCP/IP Protocol and just to understand how the Network Packets are constructed.

Thanks a Lot

Awaiting your earnest reply

Regards

Kaushal


On 7/19/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Kaushal Shriyan wrote:

> is it better to run tcpdump -i eth0 -s 0 -w dump host 192.168.0.1
> <http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and
> port 443
>
> or instead  tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1
> < http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and
> port 443
>
> which is the best method

Assuming you're using tcpdump 3.6 or later (as per my earlier mail,
3.4[.x] and 3.5[.x] don't support "-s 0"):

Given that the "snapshot length" includes the link-layer header - i.e.,
it's *NOT* the MTU - a snapshot length of 1500 will cut off the last 14
bytes of a full-length 1514-byte Ethernet packet.  Therefore, "-s 0" is
better than "-s 1500".

It's also better than "-s 1514", because

        1) it works on all interfaces, regardless of the maximum packet size
(i.e., you don't have to know the maximum packet size of an interface if
you just use "-s 0");

        2) it's 3 fewer characters to type. :-)
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users