Make the default snapshot length the maximum; add a #define for the
maximum.
Get rid of redundant definition of DEFAULT_SNAPLEN in interface.h.
Update the documentation.
diff --git a/interface.h b/interface.h
index 40067ed..b8e2001 100644
--- a/interface.h
+++ b/interface.h
@@ -82,16 +82,6 @@
#define max(a,b) ((b)>(a)?(b):(a))
#endif
-/*
- * The default snapshot length. This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- */
-#ifndef INET6
-#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
-#else
-#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
-#endif
-
#ifndef BIG_ENDIAN
#define BIG_ENDIAN 4321
#define LITTLE_ENDIAN 1234
diff --git a/netdissect.h b/netdissect.h
index 8b5c842..d1b6271 100644
--- a/netdissect.h
+++ b/netdissect.h
@@ -171,17 +171,21 @@
#define max(a,b) ((b)>(a)?(b):(a))
#endif
-#ifndef INET6
/*
- * The default snapshot length. This value allows most printers to print
- * useful information while keeping the amount of unwanted data down.
- * In particular, it allows for an ethernet header, tcp/ip header, and
- * 14 bytes of data (assuming no ip options).
+ * Maximum snapshot length. This should be enough to capture the full
+ * packet on most network interfaces.
+ *
+ * XXX - could it be larger? If so, should it? Some applications might
+ * use the snapshot length in a savefile header to control the size of
+ * the buffer they allocate, so a size of, say, 2^31-1 might not work
+ * well.
*/
-#define DEFAULT_SNAPLEN 68
-#else
-#define DEFAULT_SNAPLEN 96
-#endif
+#define MAXIMUM_SNAPLEN 65535
+
+/*
+ * The default snapshot length is the maximum.
+ */
+#define DEFAULT_SNAPLEN MAXIMUM_SNAPLEN
#ifndef BIG_ENDIAN
#define BIG_ENDIAN 4321
diff --git a/tcpdump.1.in b/tcpdump.1.in
index 06140cb..2be95d2 100644
--- a/tcpdump.1.in
+++ b/tcpdump.1.in
@@ -22,7 +22,7 @@
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "07 January 2008"
+.TH TCPDUMP 1 "05 March 2009"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
@@ -432,10 +432,7 @@
.TP
.B \-s
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
-default of 68 (with SunOS's NIT, the minimum is actually 96).
-68 bytes is adequate for IP, ICMP, TCP
-and UDP but may truncate protocol information from name server and NFS
-packets (see below).
+default of 65535 bytes.
Packets truncated because of a limited snapshot
are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
is the name of the protocol level at which the truncation has occurred.
@@ -447,7 +444,9 @@
You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you're interested in.
Setting
-\fIsnaplen\fP to 0 means use the required length to catch whole packets.
+\fIsnaplen\fP to 0 sets it to the default of 65535,
+for backwards compatibility with recent older versions of
+.IR tcpdump .
.TP
.B \-T
Force packets selected by "\fIexpression\fP" to be interpreted the
@@ -1251,14 +1250,6 @@
If the
`question' section doesn't contain exactly one entry, `[\fIn\fPq]'
is printed.
-.LP
-Note that name server requests and responses tend to be large and the
-default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
-to print.
-Use the \fB\-s\fP flag to increase the snaplen if you
-need to seriously investigate name server traffic.
-`\fB\-s 128\fP'
-has worked well for me.
.HD
SMB/CIFS decoding
diff --git a/tcpdump.c b/tcpdump.c
index ba8b702..d524b01 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -748,10 +748,10 @@
snaplen = strtol(optarg, &end, 0);
if (optarg == end || *end != '\0'
- || snaplen < 0 || snaplen > 65535)
+ || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)
error("invalid snaplen %s", optarg);
else if (snaplen == 0)
- snaplen = 65535;
+ snaplen = MAXIMUM_SNAPLEN;
break;
}
