2008/11/23 ropers <[EMAIL PROTECTED]>: >>> On Wed, Nov 19, 2008 at 08:18:00PM -0800, Jeff Simmons wrote: > >>> Just increase the snaplen. >>> >>> tcpdump -s 65000 -w dump port 80 > > With some tcpdump(8) versions on non-OpenBSD Unix-like OSes (e.g. > tcpdump version 3.9.8/Ubuntu 8.10), the man page says: > > -s Snarf snaplen bytes of data from each packet (...) Set‐ > ting snaplen to 0 means use the required length to catch > whole packets. > > The man page for OpenBSD's tcpdump doesn't mention anything about > setting the snaplen to 0, and trying to invoke OpenBSD's tcpdump with > -s 0 results in an error of: > >> tcpdump: invalid snaplen 0 > > (tested with OpenBSD 4.3 GENERIC) > > This is probably a naive question, but how would one best replicate > the -s 0 functionality with OpenBSD's tcpdump? Is there a reason why > Jeff specifically suggested -s 65000? > > Many thanks and regards, > --ropers > >
Since the size of a IPv4 packet is coded on 16 bits it can't be more than 65536 octets. So -s 65536 and -s 0 should behave the same for IPv4 packets. Note that IPv6 has a jumbogram feature enabling the use of bigger packets but I never saw it in action. And since tcpdump doesn't reassemble framented IP packets, your network interface MTU should be enough anyway. -- Pierre Riteau
