Make the default snapshot length the maximum; add a #define for the

maximum.

Get rid of redundant definition of DEFAULT_SNAPLEN in interface.h.

Update the documentation.

diff --git a/interface.h b/interface.h
index 40067ed46cc5f4af3307b8d80b7e0c404181bd12..b8e2001c4930906aaecd551d3216e45b295b7e04 100644 (file)
--- a/interface.h
+++ b/interface.h
@@ -82,16 +82,6 @@ extern char *strsep(char **, const char *);
 #define max(a,b) ((b)>(a)?(b):(a))
 #endif
 
 #define max(a,b) ((b)>(a)?(b):(a))
 #endif
 

-/*
- * The default snapshot length.  This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- */
-#ifndef INET6
-#define DEFAULT_SNAPLEN 68     /* ether + IPv4 + TCP + 14 */
-#else
-#define DEFAULT_SNAPLEN 96     /* ether + IPv6 + TCP + 22 */
-#endif
-

 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321
 #define LITTLE_ENDIAN 1234
 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321
 #define LITTLE_ENDIAN 1234

diff --git a/netdissect.h b/netdissect.h
index 8b5c8420ef7d7d874f8b1ede368ae9def69f02a3..d1b627176ec95e6837f91fa8a0178d591a1eebbd 100644 (file)
--- a/netdissect.h
+++ b/netdissect.h
@@ -171,17 +171,21 @@ struct netdissect_options {
 #define max(a,b) ((b)>(a)?(b):(a))
 #endif
 
 #define max(a,b) ((b)>(a)?(b):(a))
 #endif
 

-#ifndef INET6

 /*
 /*

- * The default snapshot length.  This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- * In particular, it allows for an ethernet header, tcp/ip header, and
- * 14 bytes of data (assuming no ip options).
+ * Maximum snapshot length.  This should be enough to capture the full
+ * packet on most network interfaces.
+ *
+ * XXX - could it be larger?  If so, should it?  Some applications might
+ * use the snapshot length in a savefile header to control the size of
+ * the buffer they allocate, so a size of, say, 2^31-1 might not work
+ * well.

  */
  */

-#define DEFAULT_SNAPLEN 68
-#else
-#define DEFAULT_SNAPLEN 96
-#endif
+#define MAXIMUM_SNAPLEN        65535
+
+/*
+ * The default snapshot length is the maximum.
+ */
+#define DEFAULT_SNAPLEN        MAXIMUM_SNAPLEN

 
 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321
 
 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321

diff --git a/tcpdump.1.in b/tcpdump.1.in
index 06140cb2b827a9dbd641315b2ce2cd9b87eb4b94..2be95d2e9387b75778b7d936922391892a37d725 100644 (file)
--- a/tcpdump.1.in
+++ b/tcpdump.1.in
@@ -22,7 +22,7 @@
 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"
 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"

-.TH TCPDUMP 1  "07 January 2008"
+.TH TCPDUMP 1  "05 March 2009"

 .SH NAME
 tcpdump \- dump traffic on a network
 .SH SYNOPSIS
 .SH NAME
 tcpdump \- dump traffic on a network
 .SH SYNOPSIS


@@ -432,10 +432,7 @@ Print absolute, rather than relative, TCP sequence numbers.
 .TP
 .B \-s
 Snarf \fIsnaplen\fP bytes of data from each packet rather than the
 .TP
 .B \-s
 Snarf \fIsnaplen\fP bytes of data from each packet rather than the

-default of 68 (with SunOS's NIT, the minimum is actually 96).
-68 bytes is adequate for IP, ICMP, TCP
-and UDP but may truncate protocol information from name server and NFS
-packets (see below).
+default of 65535 bytes.

 Packets truncated because of a limited snapshot
 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
 is the name of the protocol level at which the truncation has occurred.
 Packets truncated because of a limited snapshot
 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
 is the name of the protocol level at which the truncation has occurred.


@@ -447,7 +444,9 @@ lost.
 You should limit \fIsnaplen\fP to the smallest number that will
 capture the protocol information you're interested in.
 Setting
 You should limit \fIsnaplen\fP to the smallest number that will
 capture the protocol information you're interested in.
 Setting

-\fIsnaplen\fP to 0 means use the required length to catch whole packets.
+\fIsnaplen\fP to 0 sets it to the default of 65535,
+for backwards compatibility with recent older versions of
+.IR tcpdump .

 .TP
 .B \-T
 Force packets selected by "\fIexpression\fP" to be interpreted the
 .TP
 .B \-T
 Force packets selected by "\fIexpression\fP" to be interpreted the


@@ -1251,14 +1250,6 @@ RA, \fInot\fP set) and `|' (truncated message, TC, set).
 If the
 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
 is printed.
 If the
 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
 is printed.

-.LP
-Note that name server requests and responses tend to be large and the
-default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
-to print.
-Use the \fB\-s\fP flag to increase the snaplen if you
-need to seriously investigate name server traffic.
-`\fB\-s 128\fP'
-has worked well for me.

 
 .HD
 SMB/CIFS decoding
 
 .HD
 SMB/CIFS decoding

diff --git a/tcpdump.c b/tcpdump.c
index ba8b702b64b5c816982d305bc25756b9675e3c37..d524b0164d1bea3388c2c9f3dd66b7d4a304b7c3 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -748,10 +748,10 @@ main(int argc, char **argv)
 
                        snaplen = strtol(optarg, &end, 0);
                        if (optarg == end || *end != '\0'
 
                        snaplen = strtol(optarg, &end, 0);
                        if (optarg == end || *end != '\0'

-                           || snaplen < 0 || snaplen > 65535)
+                           || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)

                                error("invalid snaplen %s", optarg);
                        else if (snaplen == 0)
                                error("invalid snaplen %s", optarg);
                        else if (snaplen == 0)

-                               snaplen = 65535;
+                               snaplen = MAXIMUM_SNAPLEN;

                        break;
                }
 
                        break;
                }