From owner-freebsd-questions  Thu Oct  9 13:57:42 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id NAA29249
          for questions-outgoing; Thu, 9 Oct 1997 13:57:42 -0700 (PDT)
          (envelope-from owner-freebsd-questions)
Received: from plains.NoDak.edu (tinguely@plains.NoDak.edu [134.129.111.64])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA29237
          for <questions@FreeBSD.ORG>; Thu, 9 Oct 1997 13:57:37 -0700 (PDT)
          (envelope-from tinguely@plains.NoDak.edu)
Received: (from tinguely@localhost)
	by plains.NoDak.edu (8.8.5/8.8.5) id PAA12896;
	Thu, 9 Oct 1997 15:57:21 -0500 (CDT)
Date: Thu, 9 Oct 1997 15:57:21 -0500 (CDT)
From: Mark Tinguely <tinguely@plains.NoDak.edu>
Message-Id: <199710092057.PAA12896@plains.NoDak.edu>
To: joe@via.net, questions@FreeBSD.ORG
Subject: Re: tcpdump
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>  Does tcpdump dump the entire packet?

the default action is to copy the first 83 bytes from kernel space to
the tcpdump application. The option -s can change that default.
>
>  Does the dumped data include the tcp headers or is it the 
>  "payload"?

the dumped data is the ethernet frame (which may be IP, or not).

--mark.