tcpdump mailing list archives
Re: Protocol headers-only capture?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 17 Dec 2008 12:53:01 -0800
On Dec 17, 2008, at 12:18 PM, Matthew Luckie wrote:
could -s become a parameter that takes words as well as numbers, and have the compiler return the appropriate number of bytes in each case?. so -s udphdr -s tcphdr would return 14 + 20 + 8 for UDP packets on ethernet,
Not all link layers have fixed-length headers (consider 802.11) and the IPv4 header isn't guaranteed to be 20 bytes long (options).
and tcphdr would return 14 + 20 + 20 bytes for TCP packets (extra points for snapping tcp options).
If you want to handle TCP (or IP) options, you no longer have a fixed snapshot length, so you'd have to do something along the lines of what I discussed, or pick a snapshot length that's "big enough" for typical packets.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Matthew Luckie (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 17)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Dustin Spicuzza (Dec 22)
- Re: Protocol headers-only capture? Guy Harris (Dec 17)