On Thu, Mar 13, 2003 at 06:04:48PM +0100, BUYCK Jacky FTRD/DMI/CAE wrote:
> Is there a difference between a file capture byt the following command :
> tcpdump -w file
> and a dump capture throught ethereal ?
Yes.
If you run
tcpdump -w file
to do a capture, the packets will be truncated to the default tcpdump
"snapshot length", which is typically 68 bytes if tcpdump wasn't built
with IPv6 support or 96 bytes if tcpdump was built with IPv6 support.
Only the first 68 or 96 bytes of the packet (depending on the default)
will be saved in the capture.
If you use Ethereal to do a capture, and don't turn on the "Limit each
packet to {N} bytes" option ("N" defaults to 68), the entire packet will
be saved in the capture file.
> Why interpretation is not the same in both ???
Probably because tcpdump doesn't, by default, save the entire packet.
Check whether any of the packets dissected differently have different
"bytes on wire" and "bytes captured" values in the "Frame N" line of the
detailed dissection in the middle pane in the tcpdump capture - if
"bytes captured" is less than "bytes on wire" in the tcpdump capture,
that's the problem.
> Does the 'tcpdump -w file' doesn't capture all the packet length ?
No, it doesn't. If you want to do that, you'd have to do
tcpdump -s 65535 -w file
or, in recent versions of tcpdump:
tcpdump -s 0 -w file
(in recent versions of tcpdump, a snapshot length of 0 means "make the
snapshot length 65535").
