Kaushal Shriyan wrote:
is it better to run tcpdump -i eth0 -s 0 -w dump host 192.168.0.1
<http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and
port 443
or instead tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1
<http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and
port 443
which is the best method
Assuming you're using tcpdump 3.6 or later (as per my earlier mail,
3.4[.x] and 3.5[.x] don't support "-s 0"):
Given that the "snapshot length" includes the link-layer header - i.e.,
it's *NOT* the MTU - a snapshot length of 1500 will cut off the last 14
bytes of a full-length 1514-byte Ethernet packet. Therefore, "-s 0" is
better than "-s 1500".
It's also better than "-s 1514", because
1) it works on all interfaces, regardless of the maximum packet size
(i.e., you don't have to know the maximum packet size of an interface if
you just use "-s 0");
2) it's 3 fewer characters to type. :-)
