bin/151036: Default snaplen of tcpdump(1) is not adequate to todays
packet filters
jhell
jhell at DataIX.net
Tue Sep 28 14:50:02 UTC 2010
>Number: 151036
>Category: bin
>Synopsis: Default snaplen of tcpdump(1) is not adequate to todays packet filters
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 28 14:50:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: jhell
>Release: stable/8 r213195
>Organization:
>Environment:
N/A
>Description:
100% of the time when using tcpdump(1) on a packet dump from pflog a user will see a message of "[bad hdr length 0 - too short, < 20]" if they are not using a snaplen '-s' greater than or equal to that of the pflog or similiar capture which happens to be 116.
>How-To-Repeat:
tcpdump -nr /var/log/pflog
>Fix:
Always add '-s 116' to tcpdump on the command line or patch tcpdump(1) to use a default snaplen of 116 for ipv4 and 88 for ipv6. Patching should solve a lot of misconception of what is actually happening.
Patch attached with submission follows:
Index: contrib/tcpdump/interface.h
===================================================================
--- contrib/tcpdump/interface.h (revision 213242)
+++ contrib/tcpdump/interface.h (working copy)
@@ -88,9 +88,9 @@
* useful information while keeping the amount of unwanted data down.
*/
#ifndef INET6
-#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
+#define DEFAULT_SNAPLEN 88 /* ether + IPv4 + TCP + 34 */
#else
-#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
+#define DEFAULT_SNAPLEN 116 /* ether + IPv6 + TCP + 42 */
#endif
#ifndef BIG_ENDIAN
Index: contrib/tcpdump/netdissect.h
===================================================================
--- contrib/tcpdump/netdissect.h (revision 213242)
+++ contrib/tcpdump/netdissect.h (working copy)
@@ -177,9 +177,9 @@
* In particular, it allows for an ethernet header, tcp/ip header, and
* 14 bytes of data (assuming no ip options).
*/
-#define DEFAULT_SNAPLEN 68
+#define DEFAULT_SNAPLEN 88
#else
-#define DEFAULT_SNAPLEN 96
+#define DEFAULT_SNAPLEN 116
#endif
#ifndef BIG_ENDIAN
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list