Ethereal

Re: [Ethereal-users] tethereal vs tcpdump
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: November 2003

 

On Mon, Nov 03, 2003 at 11:36:17AM +0100, Dario Lombardo wrote:
> I experienced this problems some days ago using tcpdump and tethereal.
> I made a capture with tcpdump in order to get OSPF packets. My filter 
> was ip[21]==89. I saved my data into a pcap file, but when I opened it 
> with ethereal I found many packets marked [Short frame], and effectively 
> they where truncated. I made the same capture with tethereal (same 
> options) and I got a different result: the packets where captured 
> correctly, at full lenght.

Yes, tcpdump defaults to a snapshot length of 68 bytes (if it's a
version that doesn't support IPv6) or 96 bytes (if it's a version that
supports IPv6), but Ethereal and Tethereal default to a snapshot length
of 65535 bytes (meaning "capture the entire packet").

If you want to capture the full packet with tcpdump, you have to use "-s
65535" or, in newer versions of tcpdump, "-s 0" (which means "full
length").

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.