Date: Tue, 28 Sep 2010 14:44:38 GMT From: jhell <jhell@DataIX.net> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/151036: Default snaplen of tcpdump(1) is not adequate to todays packet filters Message-ID: <201009281444.o8SEicUu050526@www.freebsd.org> Resent-Message-ID: <201009281450.o8SEo1DU086242@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 151036 >Category: bin >Synopsis: Default snaplen of tcpdump(1) is not adequate to todays packet filters >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Sep 28 14:50:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: jhell >Release: stable/8 r213195 >Organization: >Environment: N/A >Description: 100% of the time when using tcpdump(1) on a packet dump from pflog a user will see a message of "[bad hdr length 0 - too short, < 20]" if they are not using a snaplen '-s' greater than or equal to that of the pflog or similiar capture which happens to be 116. >How-To-Repeat: tcpdump -nr /var/log/pflog >Fix: Always add '-s 116' to tcpdump on the command line or patch tcpdump(1) to use a default snaplen of 116 for ipv4 and 88 for ipv6. Patching should solve a lot of misconception of what is actually happening. Patch attached with submission follows: Index: contrib/tcpdump/interface.h =================================================================== --- contrib/tcpdump/interface.h (revision 213242) +++ contrib/tcpdump/interface.h (working copy) @@ -88,9 +88,9 @@ * useful information while keeping the amount of unwanted data down. */ #ifndef INET6 -#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */ +#define DEFAULT_SNAPLEN 88 /* ether + IPv4 + TCP + 34 */ #else -#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */ +#define DEFAULT_SNAPLEN 116 /* ether + IPv6 + TCP + 42 */ #endif #ifndef BIG_ENDIAN Index: contrib/tcpdump/netdissect.h =================================================================== --- contrib/tcpdump/netdissect.h (revision 213242) +++ contrib/tcpdump/netdissect.h (working copy) @@ -177,9 +177,9 @@ * In particular, it allows for an ethernet header, tcp/ip header, and * 14 bytes of data (assuming no ip options). */ -#define DEFAULT_SNAPLEN 68 +#define DEFAULT_SNAPLEN 88 #else -#define DEFAULT_SNAPLEN 96 +#define DEFAULT_SNAPLEN 116 #endif #ifndef BIG_ENDIAN >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009281444.o8SEicUu050526>