default snaplen on tcpdump
Florian Smeets
flo at kasimir.com
Thu Feb 28 13:56:53 UTC 2008
Mike Tancsa wrote:
> Is there any chance of changing the default snap length of tcpdump to be
> a few bytes bigger ? With pf on RELENG_7, the default of 96 is too
> short now. So doing just a
>
> # tcpdump -nei pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 96 bytes
> 06:50:57.651128 rule 7/0(match): pass in on bge0: 190.73.138.253.2020 >
> xx.7.141.12.25: tcp 28 [bad hdr length 0 - too short, < 20]
>
> Going to -s100 seems to be a safe value and avoids the "bad header" errors.
>
Thank you! This just saved me some time i guess. I saw this on a 7.0-RC
firewall a few days ago and wondered what that could mean. I didn't have
time to investigate yet and just now read your mail :-)
I think others could also be confused by this, so i think increasing the
snap length would make sense.
Cheers,
Florian
More information about the freebsd-pf
mailing list