Hi, For large amounts of data transfer like video stream, FTP, I don't really need data but I do want to get the full headers of each frame for analysis. The question is, would that cause any potential problem when doing analysis? For example, incorrect statistics, etc... If we do an IO graph, will the result be the same if you captured a full trace as compared with a trace using -s <snaplen>? thanks! asked 20 Aug '14, 02:20  SteveZhou edited 20 Aug '14, 03:23  grahamb ♦ |
One Answer:
Yes, all statistics will be the same, because each frame will still know it's original length. The payload bytes just aren't there to decode, but that's all. So as long as you don't care about payload contents you can capture just the headers and do your analysis. answered 20 Aug '14, 02:35  Jasper ♦♦ |
many thanks for quick response!
by the way, what the typical snaplen to specify to make sure all of the headers will be included? Is there a rule of thumb value?
for normal TCP I go for 64 bytes, but if I need upper layer headers like NetBIOS/SMB as well I might choose 128 or 256, depending on how big they are.