Wireshark · Ethereal-users: Re: [Ethereal-users] New to capturing, ? about http authorizations

[Jonathan Sanders <jonathan@xxxxxxxxxxxxx>]

Can't you throw in a -e for link level info? And you're right about the 
-s 0, I just throw 1500 down there out of an old bad habit and haven't 
changed to -s 0 yet. :) Thanks for the reminder. I really need to get 
with the times here...


Guy Harris wrote:
> Jonathan Sanders wrote:
>
> > I do a
> >
> > tcpdump -nt -X -s1500 'filter expression here'
> >
> > for whenever I need to get the actual packet data from tcpdump....
>
>
> Presumably by "actual packet data" you mean "full packet dissection" - 
> if you mean "raw packet data", in a form Ethereal can use, you'd also 
> use "-w {filename}" for a file that can be read by programs that can 
> read libpcap files (tcpdump/WinDump, Ethereal/Tethereal, and a number of 
> other programs that do various sorts of network analysis).
>
> Note also that if you want to capture a full Ethernet packet, the 
> argument to "-s" needs to be 1514 or greater or, in newer versions of 
> tcpdump, 0 (which, in newer versions, means "65535", which is the 
> largest snapshot length that some systems support).  The argument to 
> "-s" is the largest packet length *including the link-layer header*, not 
> the largest *payload* length - i.e., if you want all packets to be 
> captured in full, it should *not* be the MTU for the network.
>
> (Note also that the "link-layer header" might include various bits of 
> "metadata", such as VPI/VCI and possibly packet type information for ATM 
> and radio information such as signal strength for some 802.11 link-layer 
> header types.)
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users