Date: Thu, 28 Feb 2008 14:29:40 +0100 From: Florian Smeets <flo@kasimir.com> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-pf@freebsd.org Subject: Re: default snaplen on tcpdump Message-ID: <47C6B744.2050501@kasimir.com> In-Reply-To: <200802271155.m1RBt6U0058941@lava.sentex.ca> References: <200802271155.m1RBt6U0058941@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > Is there any chance of changing the default snap length of tcpdump to be > a few bytes bigger ? With pf on RELENG_7, the default of 96 is too > short now. So doing just a > > # tcpdump -nei pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 96 bytes > 06:50:57.651128 rule 7/0(match): pass in on bge0: 190.73.138.253.2020 > > xx.7.141.12.25: tcp 28 [bad hdr length 0 - too short, < 20] > > Going to -s100 seems to be a safe value and avoids the "bad header" errors. > Thank you! This just saved me some time i guess. I saw this on a 7.0-RC firewall a few days ago and wondered what that could mean. I didn't have time to investigate yet and just now read your mail :-) I think others could also be confused by this, so i think increasing the snap length would make sense. Cheers, Florian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47C6B744.2050501>