Ethereal-users: Re: [Ethereal-users] New to capturing, ? about http authorizations

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 10 Dec 2004 11:29:11 -0800
Jonathan Sanders wrote:

I do a

tcpdump -nt -X -s1500 'filter expression here'

for whenever I need to get the actual packet data from tcpdump....
Presumably by "actual packet data" you mean "full packet dissection" - if you mean "raw packet data", in a form Ethereal can use, you'd also use "-w {filename}" for a file that can be read by programs that can read libpcap files (tcpdump/WinDump, Ethereal/Tethereal, and a number of other programs that do various sorts of network analysis).
Note also that if you want to capture a full Ethernet packet, the argument to "-s" needs to be 1514 or greater or, in newer versions of tcpdump, 0 (which, in newer versions, means "65535", which is the largest snapshot length that some systems support). The argument to "-s" is the largest packet length *including the link-layer header*, not the largest *payload* length - i.e., if you want all packets to be captured in full, it should *not* be the MTU for the network.
(Note also that the "link-layer header" might include various bits of "metadata", such as VPI/VCI and possibly packet type information for ATM and radio information such as signal strength for some 802.11 link-layer header types.)