>At this layer if there is a long application message. >Is the raw packets are broken up ? If a they're broken up on the network, then they're broken up when tcpdump sees them. >Is this layer above the TCP/IP stack where all the >packets are packed together ? No; tcpdump works *below* the TCP/IP stack and monitors what's going on on the actual network wire. If you're interested in reassembling streams, you might want to check out something like libnids, http://www.packetfactory.net/libnids/ Bill - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
