Guy Harris wrote:
On Dec 17, 2008, at 11:10 AM, Dustin Spicuzza wrote:
Is there currently a way to save protocol headers (and by this, I mean
ARP/IP/TCP/UDP/ICMP headers) to a file *without* the remaining payload?
There's no way to do *exactly* that.
You can, however, specify a snapshot length with "-s" that would save an
amount of packet data that would include the headers and only a limited
amount of remaining payload (assuming packets don't have a large number
of IP or TCP options).
could -s become a parameter that takes words as well as numbers, and
have the compiler return the appropriate number of bytes in each case?.
so -s udphdr -s tcphdr would return 14 + 20 + 8 for UDP packets on
ethernet, and tcphdr would return 14 + 20 + 20 bytes for TCP packets
(extra points for snapping tcp options).
i guess this might be quite a bit harder to implement than it is to talk
about.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
