Maicake
Reputation: 1136
Why tcpdump -dd accepting packet instruction choosese exactly 0x4000 as size?
Why tcpdump -dd always use 0x4000 as the size of packet to return in the accepting case? I know it's big enough to return the entire packet. But why exactly that value and not for example 65536
Upvotes: 1
Views: 80
Answers (1)
Qeole
Reputation: 9174
When in doubt, just search for the value in the source code, in our case in libpcap (by the way: it's 0x40000).
/*
* Maximum snapshot length.
*
* Somewhat arbitrary, but chosen to be:
*
* 1) big enough for maximum-size Linux loopback packets (65549)
* and some USB packets captured with USBPcap:
*
* http://desowin.org/usbpcap/
*
* (> 131072, < 262144)
*
* and
*
* 2) small enough not to cause attempts to allocate huge amounts of
* memory; some applications might use the snapshot length in a
* savefile header to control the size of the buffer they allocate,
* so a size of, say, 2^31-1 might not work well.
*
* We don't enforce this in pcap_set_snaplen(), but we use it internally.
*/
#define MAXIMUM_SNAPLEN 262144
Upvotes: 1
Related Questions
- bpf_prog_test_run() causes unexpected packet data
- Why is udp packet, sent by dpdk, received with zero'd payload?
- understanding tcpdump udp output
- Is tcpdump reliable? Why there are so many packets with length 0?
- why does libpcap/tcpdump add/pad '0x00' bytes at the end of IP/TCP packets?
- Deconstructing BPF filter in TCPdump
- Is it possible that packet captured by tcpdump, but lost in tcp kernel?
- Reading tcpdump header length command
- tcpdump -dd output doesn't match pcap_compile_nopcap
- how does the tcp packet “size” reported by tcpdump correlate to the actual IP packet sent?