mirrors/tcpdump
0
0
Fork 0
mirror of https://github.com/the-tcpdump-group/tcpdump.git synced 2024-11-23 18:14:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update the -s documentation.

Browse Source 
The -s default is now large, so it's not as if you'll have to increase
it to get more packet data; you might have to *decrease* it to avoid
dropping packets.
This commit is contained in:
Guy Harris 2017-12-14 15:48:30 -08:00
parent 3e6a7011af
commit a5874ee6b1
1 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
tcpdump.1.in
View File

@ -620,14 +620,21 @@ default of 262144 bytes.
Packets truncated because of a limited snapshot
are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
is the name of the protocol level at which the truncation has occurred.
.IP
Note that taking larger snapshots both increases
the amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering.
This may cause packets to be
lost.
You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you're interested in.
Setting
Note also that taking smaller snapshots will discard data from protocols
above the transport layer, which loses information that may be
important. NFS and AFS requests and replies, for example, are very
large, and much of the detail won't be available if a too-short snapshot
length is selected.
.IP
If you need to reduce the snapshot size below the default, you should
limit \fIsnaplen\fP to the smallest number that will capture the
protocol information you're interested in. Setting
\fIsnaplen\fP to 0 sets it to the default of 262144,
for backwards compatibility with recent older versions of
.IR tcpdump .
@ -1675,11 +1682,6 @@ the file mode (in octal), the uid and gid, and the file size.
.LP
If the \-v flag is given more than once, even more details are printed.
.LP
Note that NFS requests are very large and much of the detail won't be printed
unless \fIsnaplen\fP is increased.
Try using `\fB\-s 192\fP' to watch
NFS traffic.
.LP
NFS reply packets do not explicitly identify the RPC operation.
Instead,
\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
@ -1743,11 +1745,6 @@ Error codes are printed for abort packets, with the exception of Ubik
beacon packets (because abort packets are used to signify a yes vote
for the Ubik protocol).
.LP
Note that AFS requests are very large and many of the arguments won't
be printed unless \fIsnaplen\fP is increased.
Try using `\fB-s 256\fP'
to watch AFS traffic.
.LP
AFS reply packets do not explicitly identify the RPC operation.
Instead,
\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the