Robert Edmonds <[email protected]> writes: > for instance, a snapshot length of 1514 actually results in only a > maximum of 1498 bytes being captured, so those who think they are > doing "full packet capture" actually are not, thus breaking TCP > stream reassembly and IP defragmentation, potentially blinding > sensors that depend on libpcap.
Sure it's possible, but quite unlikely. People who want to do "full packet capture" usually set snaplen to 65535, which is the default for tcpdump, ngrep, tcpflow, etc. -- Romain Francoise <[email protected]> http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
