为什么 tcpdump 的默认捕获大小为 262144？

Question

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h

/*
 * Maximum snapshot length.  This should be enough to capture the full
 * packet on most network interfaces.
 *
 *
 * Somewhat arbitrary, but chosen to be:
 *
 *    1) big enough for maximum-size Linux loopback packets (65549)
 *       and some USB packets captured with USBPcap:
 *
 *           http://desowin.org/usbpcap/
 *
 *       (> 131072, < 262144)
 *
 * and
 *
 *    2) small enough not to cause attempts to allocate huge amounts of
 *       memory; some applications might use the snapshot length in a
 *       savefile header to control the size of the buffer they allocate,
 *       so a size of, say, 2^31-1 might not work well.
 *
 * XXX - does it need to be bigger still?
 */
#define MAXIMUM_SNAPLEN 262144

没什么大不了的。Linux 环回不受硬件帧的限制，因此最大大小相当大，为 64k。其他数据包可能更大，因此最多可达 2 的几个幂，即 256k。

Answer 1

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h

/*
 * Maximum snapshot length.  This should be enough to capture the full
 * packet on most network interfaces.
 *
 *
 * Somewhat arbitrary, but chosen to be:
 *
 *    1) big enough for maximum-size Linux loopback packets (65549)
 *       and some USB packets captured with USBPcap:
 *
 *           http://desowin.org/usbpcap/
 *
 *       (> 131072, < 262144)
 *
 * and
 *
 *    2) small enough not to cause attempts to allocate huge amounts of
 *       memory; some applications might use the snapshot length in a
 *       savefile header to control the size of the buffer they allocate,
 *       so a size of, say, 2^31-1 might not work well.
 *
 * XXX - does it need to be bigger still?
 */
#define MAXIMUM_SNAPLEN 262144

没什么大不了的。Linux 环回不受硬件帧的限制，因此最大大小相当大，为 64k。其他数据包可能更大，因此最多可达 2 的几个幂，即 256k。

为什么 tcpdump 的默认捕获大小为 262144？

答案1

相关内容