為什麼 tcpdump 將 262144 作為預設捕獲大小？

Question

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h

/*
 * Maximum snapshot length.  This should be enough to capture the full
 * packet on most network interfaces.
 *
 *
 * Somewhat arbitrary, but chosen to be:
 *
 *    1) big enough for maximum-size Linux loopback packets (65549)
 *       and some USB packets captured with USBPcap:
 *
 *           http://desowin.org/usbpcap/
 *
 *       (> 131072, < 262144)
 *
 * and
 *
 *    2) small enough not to cause attempts to allocate huge amounts of
 *       memory; some applications might use the snapshot length in a
 *       savefile header to control the size of the buffer they allocate,
 *       so a size of, say, 2^31-1 might not work well.
 *
 * XXX - does it need to be bigger still?
 */
#define MAXIMUM_SNAPLEN 262144

沒什麼太多的。 Linux 環回不受硬體幀的限制，因此具有相當大的最大大小（64k）。其他資料包可能更大，例如 2 的幾次方到 256k。

Answer 1

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h

/*
 * Maximum snapshot length.  This should be enough to capture the full
 * packet on most network interfaces.
 *
 *
 * Somewhat arbitrary, but chosen to be:
 *
 *    1) big enough for maximum-size Linux loopback packets (65549)
 *       and some USB packets captured with USBPcap:
 *
 *           http://desowin.org/usbpcap/
 *
 *       (> 131072, < 262144)
 *
 * and
 *
 *    2) small enough not to cause attempts to allocate huge amounts of
 *       memory; some applications might use the snapshot length in a
 *       savefile header to control the size of the buffer they allocate,
 *       so a size of, say, 2^31-1 might not work well.
 *
 * XXX - does it need to be bigger still?
 */
#define MAXIMUM_SNAPLEN 262144

沒什麼太多的。 Linux 環回不受硬體幀的限制，因此具有相當大的最大大小（64k）。其他資料包可能更大，例如 2 的幾次方到 256k。

為什麼 tcpdump 將 262144 作為預設捕獲大小？

答案1

相關內容