[Coral-dev] crl_to_pcap and snaplen
Chris Rapier
rapier@psc.edu
Mon, 25 Nov 2002 16:34:18 -0500
Ken Keys wrote:
> On Mon, Nov 25, 2002 at 02:50:50PM -0500, Chris Rapier wrote:
>
>>I've been trying to get the latest revision of coralreef to only capture the
>>1st 48 bytes of each packet on a live pcap interface. I thought I would use
>>something like -C'm=48' or 'iomode=\!user' and various combinations but I
>>still seem to be capturing payload data as well. Is there a way to do this
>>on a live pcap interface (SysKonnect GigE card) or should I just resort to
>>tcpdump?
>
>
> The -Cm=48 should work as expected on live pcap interfaces, capturing
> only the first 48 bytes of each packet.
nope, not working.
/usr/local/Coral/bin/crl_to_pcap -C'duration=5' -Cm=48 -r -o foo if:sk0
If I then run strings against foo I see html headers, bits of email, and so
forth - which leads me to believe that far more that the first 48 bytes are
being snagged.
> for TCP (14 byte ethernet header + 20 byte IP header + 20 byte TCP
> header) or 42 for UDP, not 48.
48 was a just a number I pulled out of the air.
> If you just want to capture to a file (as opposed to running a CoralReef
> analysis app in realtime), tcpdump is just as good as crl_to_pcap.
Capturing to a file was simply for testing purposes. it will eventually be
shunted to another application but only if I can resolve this issue.