Re: capturing arp (Absent jusqu'au 29/07/2002)

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

I don't really know what is happening then - if you specify 65535(! ;) )
and the real framesize is 60 bytes. Could it be, that 64kByte of data is
being copied from the kernel space to the user space and than the
application has to throw (65535 - 60) bytes away or is it the kernel
socket filter (we're talking about Linux now, aren't we) where the
"filering" is done? In the former case it would be a quite waste of CPU
time and memory. As a relief: ARP packets are quite seldom anyway ;) .
However, it could be interesting with UDP again.

Why would you want to capture more than MTU + 14 bytes - as Snort is
doing by default? Unless you have Hyperchannel, of course ;) .

Regards,

Edin


Chris Green wrote:
> Be careful on who you quote as saying what. :)
>
>
> > tcpdump -s 65335 -w arp.cap arp
> >
> > Why would you want to capture more than 60 bytes?
>
>
> I type -s, I go big and I don't wanna think what the max frame size is
> for whatever Data Link Layer.  I generally care most about larger
> packets and the most often thing you have to tell people to do when
> using tcpdump to provide packet captures is adjust the data link
> layer.

-- 
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users