Hi Guy, A snaplen of 1500 is not going to cause truncation problems. Depending on the ethernet frame-type, the snaplen might even be 1518 or even 1522 bytes. Or if he is capturing on a token-ring network ... ;)
He could also specify -s 0 instead of -s 65535 to capture the full packet. Older versions of the tcpdump man page even use a snaplen of 1500 in given examples. I can appreciate exactness/correctness but not nit picking. Give me a break, Mike On Mon, 2003-11-03 at 15:18, Guy Harris wrote: >> On Nov 3, 2003, at 6:58 AM, MH wrote: >> Try tcpdump -s 1500 -w your_pcap.cap ip[21]==89 > No, "-s 1514" > - the snapshot length is the length of the entire packet, > including the link-layer header.But "-s 65535" works as well, > and you don't have to worry about the maximum packet size of particular network > types.
