Wireshark-users: Re: [Wireshark-users] tcpdump command to capture https traffic
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 19 Jul 2007 09:38:25 -0700
Kaushal Shriyan wrote:

is it better to run tcpdump -i eth0 -s 0 -w dump host 192.168.0.1 <http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and port 443

or instead tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1 <http://192.168.0.1/> and host 192.168.0.2 <http://192.168.0.2/> and port 443

which is the best method

Assuming you're using tcpdump 3.6 or later (as per my earlier mail, 3.4[.x] and 3.5[.x] don't support "-s 0"):

Given that the "snapshot length" includes the link-layer header - i.e., it's *NOT* the MTU - a snapshot length of 1500 will cut off the last 14 bytes of a full-length 1514-byte Ethernet packet. Therefore, "-s 0" is better than "-s 1500".

It's also better than "-s 1514", because

1) it works on all interfaces, regardless of the maximum packet size (i.e., you don't have to know the maximum packet size of an interface if you just use "-s 0");

	2) it's 3 fewer characters to type. :-)