TCPDump Default Capture Size – Why 262144?

tcpdump

I was wondering for the reason that why tcpdump has magic number 262144 as default snapshot length?

–snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited
snapshot are indicated in the output with “[|proto]'', where proto is
the name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the
amount of packet buffering. This may cause packets to be lost. Note
also that taking smaller snapshots will discard data from protocols
above the transport layer, which loses information that may be
important. NFS and AFS requests and replies, for example, are very
large, and much of the detail won't be available if a too-short
snapshot length is selected.
If you need to reduce the snapshot size below the default, you should limit snaplen to the smallest number that will capture the
protocol information you're interested in. Setting snaplen to 0 sets
it to the default of 262144, for backwards compatibility with recent
older versions of tcpdump.

Reference: man page

Best Answer

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h

/*
 * Maximum snapshot length.  This should be enough to capture the full
 * packet on most network interfaces.
 *
 *
 * Somewhat arbitrary, but chosen to be:
 *
 *    1) big enough for maximum-size Linux loopback packets (65549)
 *       and some USB packets captured with USBPcap:
 *
 *           http://desowin.org/usbpcap/
 *
 *       (> 131072, < 262144)
 *
 * and
 *
 *    2) small enough not to cause attempts to allocate huge amounts of
 *       memory; some applications might use the snapshot length in a
 *       savefile header to control the size of the buffer they allocate,
 *       so a size of, say, 2^31-1 might not work well.
 *
 * XXX - does it need to be bigger still?
 */
#define MAXIMUM_SNAPLEN 262144

Not a lot to it. Linux loopback is unbounded by hardware frames and so has a fairly large max size at 64k. Other packets can be even larger, so up a couple powers of two to 256k.

Related Topic