Stuart Henderson <s...@spacehopper.org> wrote:
On 2009/01/10 23:11, Helmut Schneider wrote:
Stuart Henderson <s...@spacehopper.org> wrote:
On 2009/01/10 22:11, Helmut Schneider wrote:
What do I have to do to see the detailed live output? I at least want
to see a detailed IPv6 output.
Increase the snaplen (-s).
What is the desired snaplen? Or in other words are there any caveats
to use e.g. 192 (2xdefault)?
it is down to your requirements.
if you want to read further into the application data (either as
-v or -vv decodes, and/or -X hex/ascii dump), you'll need more than
if you just want to look at the src/dest/port.
Does 'tcpdump -r' calculate the best snaplen before outputting then?
tcpdump -r shows whatever is in the file. by default pflogd
uses 116, see the description of -s in pflogd(8).
Ah, I always read tcpdumps manpage. And from man tcpdump(8) on OpenBSD:
[...] rather than the default of 96. 96 bytes is adequate for IP, ICMP, TCP,
and UDP
While from man tcpdump(8) on FreeBSD:
[...] rather than the default of 68. 68 bytes is adequate for IP, ICMP, TCP
and UDP
And finally from man pflogd(8) on both:
[...] rather than the default of 116. 116 bytes is adequate for IP, ICMP,
TCP, and UDP
But afaics 168 is adequate for my requirements.
Thanks, Helmut
--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn