PR-6152397.diff   [plain text]


diff -r -u -N --exclude='*.orig' tcpdump-3.9.8.orig/interface.h tcpdump-3.9.8/interface.h
--- interface.h	2007-06-13 18:03:20.000000000 -0700
+++ interface.h	2008-08-20 22:40:36.000000000 -0700
@@ -86,11 +86,15 @@
  * The default snapshot length.  This value allows most printers to print
  * useful information while keeping the amount of unwanted data down.
  */
+#ifdef __APPLE__
+#define DEFAULT_SNAPLEN 65535	/* entire packet */
+#else /* __APPLE__ */
 #ifndef INET6
 #define DEFAULT_SNAPLEN 68	/* ether + IPv4 + TCP + 14 */
 #else
 #define DEFAULT_SNAPLEN 96	/* ether + IPv6 + TCP + 22 */
 #endif
+#endif /* __APPLE__ */
 
 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321
diff -r -u -N --exclude='*.orig' tcpdump-3.9.8.orig/netdissect.h tcpdump-3.9.8/netdissect.h
--- netdissect.h	2006-09-19 12:07:56.000000000 -0700
+++ netdissect.h	2008-08-20 22:41:09.000000000 -0700
@@ -170,6 +170,9 @@
 #define max(a,b) ((b)>(a)?(b):(a))
 #endif
 
+#ifdef __APPLE__
+#define DEFAULT_SNAPLEN 65535   /* entire packet */
+#else /* __APPLE__ */
 #ifndef INET6
 /*
  * The default snapshot length.  This value allows most printers to print
@@ -181,6 +184,7 @@
 #else
 #define DEFAULT_SNAPLEN 96
 #endif
+#endif /* __APPLE__ */
 
 #ifndef BIG_ENDIAN
 #define BIG_ENDIAN 4321
diff -r -u -N --exclude='*.orig' tcpdump-3.9.8.orig/tcpdump.1 tcpdump-3.9.8/tcpdump.1
--- tcpdump.1	2007-07-05 06:55:25.000000000 -0700
+++ tcpdump.1	2008-09-02 10:13:45.000000000 -0700
@@ -414,10 +414,7 @@
 .TP
 .B \-s
 Snarf \fIsnaplen\fP bytes of data from each packet rather than the
-default of 68 (with SunOS's NIT, the minimum is actually 96).
-68 bytes is adequate for IP, ICMP, TCP
-and UDP but may truncate protocol information from name server and NFS
-packets (see below).
+default of 64K bytes.
 Packets truncated because of a limited snapshot
 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
 is the name of the protocol level at which the truncation has occurred.
@@ -1230,14 +1227,6 @@
 If the
 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
 is printed.
-.LP
-Note that name server requests and responses tend to be large and the
-default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
-to print.
-Use the \fB\-s\fP flag to increase the snaplen if you
-need to seriously investigate name server traffic.
-`\fB\-s 128\fP'
-has worked well for me.
 
 .HD
 SMB/CIFS decoding