tcpdump mailing list archives
Re: tcpdump -r option
From: Guy Harris <guy () alum mit edu>
Date: Thu, 23 Feb 2006 00:04:39 -0800
Latha G wrote:
And one more thing, we are using tcpdump -w dump.pcap means the whole raw packet will be stored or only 96 bytes(default) of the packet will be stored in dump.pcap??
It means that all the captured bytes will be stored - but, as no "-s" flag was given, the limit on the per-packet number of captured bytes will be the default 96 (or 68 for versions of tcpdump without IPv6 support), and therefore no more than 96 bytes will be supplied by libpcap to tcpdump and thus no more than 96 bytes of packet data will be written to dump.pcap.
If only 96 bytes will be stored then we cann't get the correct output for tcpdump -s 200 -r dump.pcap right?
Right. No computer so far built has been given the ability to change the past, so "-s", when combined with "-r", can't magically undo the snapshot length in effect when the capture was done.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump -r option Latha G (Feb 21)
- Re: tcpdump -r option Hannes Gredler (Feb 21)
- Re: tcpdump -r option Latha G (Feb 23)
- Re: tcpdump -r option Guy Harris (Feb 23)
- Re: tcpdump -r option Latha G (Feb 23)
- Re: tcpdump -r option Hannes Gredler (Feb 21)