[Snort-users] capturing arp (Absent jusqu'au 29/07/2002)

Edin Dizdarevic edin.dizdarevic at ...7509...
Wed Apr 16 14:31:04 EDT 2003


Hi,

I don't really know what is happening then - if you specify 65535(! ;) )
and the real framesize is 60 bytes. Could it be, that 64kByte of data is
being copied from the kernel space to the user space and than the
application has to throw (65535 - 60) bytes away or is it the kernel
socket filter (we're talking about Linux now, aren't we) where the
"filering" is done? In the former case it would be a quite waste of CPU
time and memory. As a relief: ARP packets are quite seldom anyway ;) .
However, it could be interesting with UDP again.

Why would you want to capture more than MTU + 14 bytes - as Snort is
doing by default? Unless you have Hyperchannel, of course ;) .

Regards,

Edin


Chris Green wrote:
> Be careful on who you quote as saying what. :)
> 
> 
>>tcpdump -s 65335 -w arp.cap arp
>>
>>Why would you want to capture more than 60 bytes?
> 
> 
> I type -s, I go big and I don't wanna think what the max frame size is
> for whatever Data Link Layer.  I generally care most about larger
> packets and the most often thing you have to tell people to do when
> using tcpdump to provide packet captures is adjust the data link
> layer.
> 

-- 
Edin Dizdarevic





More information about the Snort-users mailing list