From owner-freebsd-hackers  Fri Dec  8  0:21:41 2000
From owner-freebsd-hackers@FreeBSD.ORG  Fri Dec  8 00:21:37 2000
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from lox.sandelman.ottawa.on.ca (lox.sandelman.ottawa.on.ca [209.151.24.2])
	by hub.freebsd.org (Postfix) with ESMTP id DAC4537B401
	for <freebsd-hackers@FreeBSD.ORG>; Fri,  8 Dec 2000 00:21:36 -0800 (PST)
Received: from sandelman.ottawa.on.ca (localhost [127.0.0.1])
	by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id DAA22962;
	Fri, 8 Dec 2000 03:48:58 -0500 (EST)
Received: by sandelman.ottawa.on.ca (8.11.0/8.11.0) id eB87al807102;
	Fri, 8 Dec 2000 02:36:47 -0500 (EST)
Received: from earth.backplane.com (placeholder-dcat-1076843399.broadbandoffice.net [64.47.83.135])
	by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id DAA21797
	for <tcpdump-workers@tcpdump.org>; Fri, 8 Dec 2000 03:07:35 -0500 (EST)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.1/8.9.3) id eB87c9817756;
	Thu, 7 Dec 2000 23:38:09 -0800 (PST)
	(envelope-from dillon)
Date: Thu, 7 Dec 2000 23:38:09 -0800 (PST)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200012080738.eB87c9817756@earth.backplane.com>
To: Guy Harris <gharris@flashcom.net>
Cc: Dragos Ruiu <dr@kyx.net>, tcpdump-workers@tcpdump.org,
	ethereal-dev@ethereal.com, snort-devel@lists.sourceforge.net,
	freebsd-hackers@FreeBSD.ORG, tech@openbsd.org
Subject: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!?
References: <0012072118150Q.09615@smp.kyx.net> <200012080547.eB85lKc17216@earth.backplane.com> <20001207232722.A352@quadrajet.flashcom.com>
Sender: mcr@sandelman.ottawa.on.ca
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:>     or with a redirect from tcpdump on a shell line,
:
:Assuming, as I suspect is the case, that they're using the same command
:on the OSes in question (or using "tcpdump" on FreeBSD and "windump" on
:Windows), that's also unlikely - it's just "{tcp,win}dump -w test.acp".

    It amounts to the same thing, since -w does nothing more then an
    fopen(..."w").  You get a pidly 8K buffer out of that, and it isn't
    even double buffered.

    But I think the last poster had it right... if the bpf buffer size
    was not changed from the default 4096, just about anything can interrupt
    the packet flow.

						-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message