List Info

Thread: default snaplen on tcpdump
default snaplen on tcpdump
user name
 2008-02-27 05:53:03 
Is there any chance of changing the default snap length of
tcpdump to 
be a few bytes bigger ?  With pf on RELENG_7, the default of
96 
is  too short now.  So doing just a

# tcpdump  -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture 
size 96 bytes
06:50:57.651128 rule 7/0(match): pass in on bge0: 
190.73.138.253.2020 > xx.7.141.12.25:  tcp 28 [bad hdr
length 0 - too 
short, < 20]

Going to -s100 seems to be a safe value and avoids the
"bad header" errors.

         ---Mike




------------------------------------------------------------
--------
Mike Tancsa,                                      tel +1 519
651 3400
Sentex Communications,                            mikesentex.net
Providing Internet since 1994                   
www.sentex.net
Cambridge, Ontario Canada                        
www.sentex.net/mike

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: default snaplen on tcpdump
country flaguser name
Germany		 2008-02-28 07:29:40 
Mike Tancsa wrote:
> Is there any chance of changing the default snap length
of tcpdump to be 
> a few bytes bigger ?  With pf on RELENG_7, the default
of 96 is  too 
> short now.  So doing just a
> 
> # tcpdump  -nei pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog
file), capture size 
> 96 bytes
> 06:50:57.651128 rule 7/0(match): pass in on bge0:
190.73.138.253.2020 > 
> xx.7.141.12.25:  tcp 28 [bad hdr length 0 - too short,
< 20]
> 
> Going to -s100 seems to be a safe value and avoids the
"bad header" errors.
> 

Thank you! This just saved me some time i guess. I saw this
on a 7.0-RC 
firewall a few days ago and wondered what that could mean. I
didn't have 
time to investigate yet and just now read your mail 

I think others could also be confused by this, so i think
increasing the 
snap length would make sense.

Cheers,
Florian
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )