Hi Guy Harris
Thanks Guy Harris :-)
Can I have online docs to understand TCP/IP Protocol and just to understand how the Network Packets are constructed.
Thanks a Lot
Awaiting your earnest reply
Regards
Kaushal
On 7/19/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Kaushal Shriyan wrote:
> is it better to run tcpdump -i eth0 -s 0 -w dump host 192.168.0.1
> <http://192.168.0.1/> and host
192.168.0.2 <http://192.168.0.2/> and
> port 443
>
> or instead tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1
> <
http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and
> port 443
>
> which is the best method
Assuming you're using tcpdump 3.6 or later (as per my earlier mail,
3.4[.x] and 3.5[.x] don't support "-s 0"):
Given that the "snapshot length" includes the link-layer header -
i.e.,
it's *NOT* the MTU - a snapshot length of 1500 will cut off the last 14
bytes of a full-length 1514-byte Ethernet packet. Therefore, "-s 0" is
better than "-s 1500".
It's also better than "-s 1514", because
1) it works on all interfaces, regardless of the maximum packet size
(i.e., you don't have to know the maximum packet size of an interface if
you just use "-s 0");
2) it's 3 fewer characters to type. :-)
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users