[Coral-dev] crl_to_pcap and snaplen
Ken Keys
coral-info@caida.org
Mon, 25 Nov 2002 13:07:51 -0800
On Mon, Nov 25, 2002 at 02:50:50PM -0500, Chris Rapier wrote:
> I've been trying to get the latest revision of coralreef to only capture the
> 1st 48 bytes of each packet on a live pcap interface. I thought I would use
> something like -C'm=48' or 'iomode=\!user' and various combinations but I
> still seem to be capturing payload data as well. Is there a way to do this
> on a live pcap interface (SysKonnect GigE card) or should I just resort to
> tcpdump?
The -Cm=48 should work as expected on live pcap interfaces, capturing
only the first 48 bytes of each packet. But you probably want 54
for TCP (14 byte ethernet header + 20 byte IP header + 20 byte TCP
header) or 42 for UDP, not 48. (You see 48 in our docs a lot because
it is the size of an ATM cell and it's sufficient to hold an 8 byte
RFC 1483 LLC/SNAP header + IP header + TCP header, but that's not
relevant here).
If you just want to capture to a file (as opposed to running a CoralReef
analysis app in realtime), tcpdump is just as good as crl_to_pcap.
--
Ken Keys
kkeys@caida.org
CoralReef: http://www.caida.org/tools/measurement/coralreef/