From owner-freebsd-hackers Thu Dec 7 23:38:21 2000 From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 7 23:38:19 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from earth.backplane.com (placeholder-dcat-1076843399.broadbandoffice.net [64.47.83.135]) by hub.freebsd.org (Postfix) with ESMTP id 2B94B37B400 for ; Thu, 7 Dec 2000 23:38:17 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id eB87c9817756; Thu, 7 Dec 2000 23:38:09 -0800 (PST) (envelope-from dillon) Date: Thu, 7 Dec 2000 23:38:09 -0800 (PST) From: Matt Dillon Message-Id: <200012080738.eB87c9817756@earth.backplane.com> To: Guy Harris Cc: Dragos Ruiu , tcpdump-workers@tcpdump.org, ethereal-dev@ethereal.com, snort-devel@lists.sourceforge.net, freebsd-hackers@FreeBSD.ORG, tech@openbsd.org Subject: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!? References: <0012072118150Q.09615@smp.kyx.net> <200012080547.eB85lKc17216@earth.backplane.com> <20001207232722.A352@quadrajet.flashcom.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :> or with a redirect from tcpdump on a shell line, : :Assuming, as I suspect is the case, that they're using the same command :on the OSes in question (or using "tcpdump" on FreeBSD and "windump" on :Windows), that's also unlikely - it's just "{tcp,win}dump -w test.acp". It amounts to the same thing, since -w does nothing more then an fopen(..."w"). You get a pidly 8K buffer out of that, and it isn't even double buffered. But I think the last poster had it right... if the bpf buffer size was not changed from the default 4096, just about anything can interrupt the packet flow. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message