From: Guy Harris Date: Thu, 5 Mar 2009 09:01:29 +0000 (-0800) Subject: Make the default snapshot length the maximum; add a #define for the X-Git-Tag: tcpdump-4.1.0~135 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/8c63baec6f9524d8308ef5553d5bae789b1e47b7 Make the default snapshot length the maximum; add a #define for the maximum. Get rid of redundant definition of DEFAULT_SNAPLEN in interface.h. Update the documentation. --- diff --git a/interface.h b/interface.h index 40067ed4..b8e2001c 100644 --- a/interface.h +++ b/interface.h @@ -82,16 +82,6 @@ extern char *strsep(char **, const char *); #define max(a,b) ((b)>(a)?(b):(a)) #endif -/* - * The default snapshot length. This value allows most printers to print - * useful information while keeping the amount of unwanted data down. - */ -#ifndef INET6 -#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */ -#else -#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */ -#endif - #ifndef BIG_ENDIAN #define BIG_ENDIAN 4321 #define LITTLE_ENDIAN 1234 diff --git a/netdissect.h b/netdissect.h index 8b5c8420..d1b62717 100644 --- a/netdissect.h +++ b/netdissect.h @@ -171,17 +171,21 @@ struct netdissect_options { #define max(a,b) ((b)>(a)?(b):(a)) #endif -#ifndef INET6 /* - * The default snapshot length. This value allows most printers to print - * useful information while keeping the amount of unwanted data down. - * In particular, it allows for an ethernet header, tcp/ip header, and - * 14 bytes of data (assuming no ip options). + * Maximum snapshot length. This should be enough to capture the full + * packet on most network interfaces. + * + * XXX - could it be larger? If so, should it? Some applications might + * use the snapshot length in a savefile header to control the size of + * the buffer they allocate, so a size of, say, 2^31-1 might not work + * well. */ -#define DEFAULT_SNAPLEN 68 -#else -#define DEFAULT_SNAPLEN 96 -#endif +#define MAXIMUM_SNAPLEN 65535 + +/* + * The default snapshot length is the maximum. + */ +#define DEFAULT_SNAPLEN MAXIMUM_SNAPLEN #ifndef BIG_ENDIAN #define BIG_ENDIAN 4321 diff --git a/tcpdump.1.in b/tcpdump.1.in index 06140cb2..2be95d2e 100644 --- a/tcpdump.1.in +++ b/tcpdump.1.in @@ -22,7 +22,7 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "07 January 2008" +.TH TCPDUMP 1 "05 March 2009" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS @@ -432,10 +432,7 @@ Print absolute, rather than relative, TCP sequence numbers. .TP .B \-s Snarf \fIsnaplen\fP bytes of data from each packet rather than the -default of 68 (with SunOS's NIT, the minimum is actually 96). -68 bytes is adequate for IP, ICMP, TCP -and UDP but may truncate protocol information from name server and NFS -packets (see below). +default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP is the name of the protocol level at which the truncation has occurred. @@ -447,7 +444,9 @@ lost. You should limit \fIsnaplen\fP to the smallest number that will capture the protocol information you're interested in. Setting -\fIsnaplen\fP to 0 means use the required length to catch whole packets. +\fIsnaplen\fP to 0 sets it to the default of 65535, +for backwards compatibility with recent older versions of +.IR tcpdump . .TP .B \-T Force packets selected by "\fIexpression\fP" to be interpreted the @@ -1251,14 +1250,6 @@ RA, \fInot\fP set) and `|' (truncated message, TC, set). If the `question' section doesn't contain exactly one entry, `[\fIn\fPq]' is printed. -.LP -Note that name server requests and responses tend to be large and the -default \fIsnaplen\fP of 68 bytes may not capture enough of the packet -to print. -Use the \fB\-s\fP flag to increase the snaplen if you -need to seriously investigate name server traffic. -`\fB\-s 128\fP' -has worked well for me. .HD SMB/CIFS decoding diff --git a/tcpdump.c b/tcpdump.c index ba8b702b..d524b016 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -748,10 +748,10 @@ main(int argc, char **argv) snaplen = strtol(optarg, &end, 0); if (optarg == end || *end != '\0' - || snaplen < 0 || snaplen > 65535) + || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN) error("invalid snaplen %s", optarg); else if (snaplen == 0) - snaplen = 65535; + snaplen = MAXIMUM_SNAPLEN; break; }