Ethereal

Re: [Ethereal-users] tethereal vs tcpdump
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: November 2003

 


On Nov 3, 2003, at 3:33 PM, MH wrote:

A snaplen of 1500 is not going to cause truncation problems. 

On Ethereal, yes, it will.

I just did a capture with "-s 1500", and did an NFS read while it was running.

Many of the NFS packets were 1518 bytes on the wire (1500 bytes of payload, 14 bytes of header, and 4 bytes of FCS, because I was capturing on a device whose driver supplies the FCS to BPF). Only 14 bytes of header and 1486 bytes of payload were captured - the full payload was no captured.

He could also specify -s 0 instead of -s 65535 to capture the full packet. 

...if he's using a sufficiently-recent version of tcpdump.

Older versions of the tcpdump man page even use
a snaplen of 1500 in given examples.

Then they either changed the semantics of "-s" (unlikely) or they had a bug in the man page (more likely).

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.