On Tue, Mar 12, 2002 at 07:44:10PM -0500, Ashley Thomas wrote: > What is the minimum capture length of an ethernet packet i need > to do the most important analysis of a packet.
That depends on what you mean by "most important". If, for example, you're trying to solve an NFS problem, the most important analysis requires more than the link-layer+IP+TCP header - and, for some problems, might require the entire (consider trying to analyze an NFS READDIR/READDIRPLUS reply, for example). > ethernet - 14 bytes + > ip - 20 (upto 60) > tcp - 20 > > these would contain all the fileds required for doing the filtering > similar to tcpdump. Yes, but that's not necessarily all you'd need. > does tcpdump do filtering on transport layer payload > ?? or appl data ? No, but it certainly *prints* data beyond the transport-layer header. > so if the capture length is 54 (or 94) we can do all the packet analysis ? Only if you don't plan to analyze anything past the TCP header. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
