From nobody@FreeBSD.org  Tue Sep 28 14:44:38 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 722C81065694
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Sep 2010 14:44:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 613338FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Sep 2010 14:44:38 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o8SEicMX050527
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Sep 2010 14:44:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o8SEicUu050526;
	Tue, 28 Sep 2010 14:44:38 GMT
	(envelope-from nobody)
Message-Id: <201009281444.o8SEicUu050526@www.freebsd.org>
Date: Tue, 28 Sep 2010 14:44:38 GMT
From: jhell <jhell@DataIX.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Default snaplen of tcpdump(1) is not adequate to todays packet filters
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         151036
>Category:       bin
>Synopsis:       [patch] Default snaplen of tcpdump(1) is not adequate to todays packet filters
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 28 14:50:01 UTC 2010
>Closed-Date:    Tue Apr 23 17:44:15 UTC 2013
>Last-Modified:  Tue Apr 23 17:44:15 UTC 2013
>Originator:     jhell
>Release:        stable/8 r213195
>Organization:
>Environment:
N/A
>Description:
100% of the time when using tcpdump(1) on a packet dump from pflog a user will see a message of "[bad hdr length 0 - too short, < 20]" if they are not using a snaplen '-s' greater than or equal to that of the pflog or similiar capture which happens to be 116.
>How-To-Repeat:
tcpdump -nr /var/log/pflog
>Fix:
Always add '-s 116' to tcpdump on the command line or patch tcpdump(1) to use a default snaplen of 116 for ipv4 and 88 for ipv6. Patching should solve a lot of misconception of what is actually happening.

Patch attached with submission follows:

Index: contrib/tcpdump/interface.h
===================================================================
--- contrib/tcpdump/interface.h	(revision 213242)
+++ contrib/tcpdump/interface.h	(working copy)
@@ -88,9 +88,9 @@
  * useful information while keeping the amount of unwanted data down.
  */
 #ifndef INET6
-#define DEFAULT_SNAPLEN 68	/* ether + IPv4 + TCP + 14 */
+#define DEFAULT_SNAPLEN 88	/* ether + IPv4 + TCP + 34 */
 #else
-#define DEFAULT_SNAPLEN 96	/* ether + IPv6 + TCP + 22 */
+#define DEFAULT_SNAPLEN 116	/* ether + IPv6 + TCP + 42 */
 #endif
 
 #ifndef BIG_ENDIAN
Index: contrib/tcpdump/netdissect.h
===================================================================
--- contrib/tcpdump/netdissect.h	(revision 213242)
+++ contrib/tcpdump/netdissect.h	(working copy)
@@ -177,9 +177,9 @@
  * In particular, it allows for an ethernet header, tcp/ip header, and
  * 14 bytes of data (assuming no ip options).
  */
-#define DEFAULT_SNAPLEN 68
+#define DEFAULT_SNAPLEN 88
 #else
-#define DEFAULT_SNAPLEN 96
+#define DEFAULT_SNAPLEN 116
 #endif
 
 #ifndef BIG_ENDIAN


>Release-Note:
>Audit-Trail:

From: jhell <jhell@DataIX.net>
To: bug-followup@FreeBSD.org, jhell@DataIX.net
Cc:  
Subject: Re: bin/151036: [patch] Default snaplen of tcpdump(1) is not adequate
 to todays packet filters
Date: Fri, 12 Nov 2010 15:21:10 -0500

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 This PR/151036 can be closed as tcpdump from HEAD has moved to a default
 snaplen of MAXIMUM_SNAPLEN which is '65535'.
 
 It would be nice to see the stable branches patched to a higher default
 snaplen level at this time but is not imperative to operations that it
 happens.
 
 
 ===== To use HEAD's libpcap & tcpdump on stable/8 r215190 =====
 
 cd /usr/src
 
 # libpcap 4.1.1 + pflogd & ipfilter fixup for libpcap.
 svn merge -c214517:214521 svn://svn.freebsd.org/base/head .
 svn merge -c214529 svn://svn.freebsd.org/base/head .
 svn merge -c214533 svn://svn.freebsd.org/base/head .
 svn merge -c214535:214536 svn://svn.freebsd.org/base/head .
 svn merge -c214539 svn://svn.freebsd.org/base/head .
 svn merge -c214834 svn://svn.freebsd.org/base/head .
 
 # tcpdump 4.1.1
 svn merge -c214478 svn://svn.freebsd.org/base/head .
 svn merge -c214481:214482 svn://svn.freebsd.org/base/head .
 svn merge -c214530 svn://svn.freebsd.org/base/head .
 svn merge -c214559:214560 svn://svn.freebsd.org/base/head .
 
 
 - -- 
 
  jhell,v
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAEBAgAGBQJM3aG2AAoJEJBXh4mJ2FR+9t4H/0PFKWcn7krp7VkXhH203Az9
 KjgsnmjblIVAEYvB2P+k54063pOH9ePg9IQxi/zlsGeDuOtUoXzF2P9677Juw7uu
 f5uWpLllPvVl/1QLnAhqKpMFju4Oe9NU2z6yHAvSGIVUANiV6yD7SsqgKCoaLLsl
 9s1cEY0itVQYuE/sxt669FST7qoy8F+n19y+JKM4aQPPaVCiSYafRt720iRmR9EW
 eS4hgvEcMzuHrKVMPCV0ank6M1JiDb7CP0MK71PjWoIof4PEffr8bRCgb1V15CXx
 zKz2Q1oApN/nFbx4kfM24I9WRan0BG+whwFIxHpBpi9obeWhNnx0AHnJCVG/GyA=
 =qclo
 -----END PGP SIGNATURE-----
State-Changed-From-To: open->closed 
State-Changed-By: wxs 
State-Changed-When: Tue Apr 23 17:44:14 UTC 2013 
State-Changed-Why:  
No longer applies. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151036 
>Unformatted:
