On 2009/01/11 00:36, Helmut Schneider wrote: > Stuart Henderson <s...@spacehopper.org> wrote: >> On 2009/01/10 23:11, Helmut Schneider wrote: >>> Stuart Henderson <s...@spacehopper.org> wrote: >>>> On 2009/01/10 22:11, Helmut Schneider wrote: >>>>> What do I have to do to see the detailed live output? I at least want >>>>> to see a detailed IPv6 output. >>>> >>>> Increase the snaplen (-s). >>> >>> What is the desired snaplen? Or in other words are there any caveats >>> to use e.g. 192 (2xdefault)? >> >> it is down to your requirements. >> >> if you want to read further into the application data (either as >> -v or -vv decodes, and/or -X hex/ascii dump), you'll need more than >> if you just want to look at the src/dest/port. >> >>> Does 'tcpdump -r' calculate the best snaplen before outputting then? >> >> tcpdump -r shows whatever is in the file. by default pflogd >> uses 116, see the description of -s in pflogd(8). > > Ah, I always read tcpdumps manpage. And from man tcpdump(8) on OpenBSD: > [...] rather than the default of 96. 96 bytes is adequate for IP, > ICMP, TCP, and UDP > > While from man tcpdump(8) on FreeBSD: > [...] rather than the default of 68. 68 bytes is adequate for IP, > ICMP, TCP and UDP > > And finally from man pflogd(8) on both: > [...] rather than the default of 116. 116 bytes is adequate for IP, > ICMP, TCP, and UDP
pflog has an additional header in front of the logged packet, with information about rule number, direction, etc. this means you need more bytes to capture than a plain IP/TCP/ICMP/UDP packet on an ethernet interface..
