Snort mailing list archives
Re: capturing arp (Absent jusqu'au 29/07/2002)
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 16 Apr 2003 23:29:54 +0200
Hi, I don't really know what is happening then - if you specify 65535(! ;) ) and the real framesize is 60 bytes. Could it be, that 64kByte of data is being copied from the kernel space to the user space and than the application has to throw (65535 - 60) bytes away or is it the kernel socket filter (we're talking about Linux now, aren't we) where the "filering" is done? In the former case it would be a quite waste of CPU time and memory. As a relief: ARP packets are quite seldom anyway ;) . However, it could be interesting with UDP again. Why would you want to capture more than MTU + 14 bytes - as Snort is doing by default? Unless you have Hyperchannel, of course ;) . Regards, Edin Chris Green wrote:
Be careful on who you quote as saying what. :)tcpdump -s 65335 -w arp.cap arp Why would you want to capture more than 60 bytes?I type -s, I go big and I don't wanna think what the max frame size is for whatever Data Link Layer. I generally care most about larger packets and the most often thing you have to tell people to do when using tcpdump to provide packet captures is adjust the data link layer.
-- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: capturing arp (Absent jusqu'au 29/07/2002) Pascal Painparay (Apr 14)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Edin Dizdarevic (Apr 15)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Chris Green (Apr 16)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Edin Dizdarevic (Apr 16)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Chris Green (Apr 16)
- <Possible follow-ups>
- Re: capturing arp (Absent jusqu'au 29/07/2002) Pascal Painparay (Apr 16)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Pascal Painparay (Apr 16)
- Re: capturing arp (Absent jusqu'au 29/07/2002) Edin Dizdarevic (Apr 15)