maximum.
Get rid of redundant definition of DEFAULT_SNAPLEN in interface.h.
Update the documentation.
#define max(a,b) ((b)>(a)?(b):(a))
#endif
-/*
- * The default snapshot length. This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- */
-#ifndef INET6
-#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
-#else
-#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
-#endif
-
#ifndef BIG_ENDIAN
#define BIG_ENDIAN 4321
#define LITTLE_ENDIAN 1234
#define max(a,b) ((b)>(a)?(b):(a))
#endif
-#ifndef INET6
/*
- * The default snapshot length. This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- * In particular, it allows for an ethernet header, tcp/ip header, and
- * 14 bytes of data (assuming no ip options).
+ * Maximum snapshot length. This should be enough to capture the full
+ * packet on most network interfaces.
+ *
+ * XXX - could it be larger? If so, should it? Some applications might
+ * use the snapshot length in a savefile header to control the size of
+ * the buffer they allocate, so a size of, say, 2^31-1 might not work
+ * well.
*/
-#define DEFAULT_SNAPLEN 68
-#else
-#define DEFAULT_SNAPLEN 96
-#endif
+#define MAXIMUM_SNAPLEN 65535
+
+/*
+ * The default snapshot length is the maximum.
+ */
+#define DEFAULT_SNAPLEN MAXIMUM_SNAPLEN
#ifndef BIG_ENDIAN
#define BIG_ENDIAN 4321
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "07 January 2008"
+.TH TCPDUMP 1 "05 March 2009"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.TP
.B \-s
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
-default of 68 (with SunOS's NIT, the minimum is actually 96).
-68 bytes is adequate for IP, ICMP, TCP
-and UDP but may truncate protocol information from name server and NFS
-packets (see below).
+default of 65535 bytes.
Packets truncated because of a limited snapshot
are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
is the name of the protocol level at which the truncation has occurred.
You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you're interested in.
Setting
-\fIsnaplen\fP to 0 means use the required length to catch whole packets.
+\fIsnaplen\fP to 0 sets it to the default of 65535,
+for backwards compatibility with recent older versions of
+.IR tcpdump .
.TP
.B \-T
Force packets selected by "\fIexpression\fP" to be interpreted the
If the
`question' section doesn't contain exactly one entry, `[\fIn\fPq]'
is printed.
-.LP
-Note that name server requests and responses tend to be large and the
-default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
-to print.
-Use the \fB\-s\fP flag to increase the snaplen if you
-need to seriously investigate name server traffic.
-`\fB\-s 128\fP'
-has worked well for me.
.HD
SMB/CIFS decoding
snaplen = strtol(optarg, &end, 0);
if (optarg == end || *end != '\0'
- || snaplen < 0 || snaplen > 65535)
+ || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)
error("invalid snaplen %s", optarg);
else if (snaplen == 0)
- snaplen = 65535;
+ snaplen = MAXIMUM_SNAPLEN;
break;
}
projects / tcpdump / commitdiff
