tcpdump mailing list archives
Re: Protocol headers-only capture?
From: Matthew Luckie <mjl () luckie org nz>
Date: Thu, 18 Dec 2008 09:18:48 +1300
Guy Harris wrote:
On Dec 17, 2008, at 11:10 AM, Dustin Spicuzza wrote:Is there currently a way to save protocol headers (and by this, I mean ARP/IP/TCP/UDP/ICMP headers) to a file *without* the remaining payload?There's no way to do *exactly* that.You can, however, specify a snapshot length with "-s" that would save an amount of packet data that would include the headers and only a limited amount of remaining payload (assuming packets don't have a large number of IP or TCP options).
could -s become a parameter that takes words as well as numbers, and have the compiler return the appropriate number of bytes in each case?. so -s udphdr -s tcphdr would return 14 + 20 + 8 for UDP packets on ethernet, and tcphdr would return 14 + 20 + 20 bytes for TCP packets (extra points for snapping tcp options).
i guess this might be quite a bit harder to implement than it is to talk about.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)