tcpdump default capture size differs on similar servers


Running /usr/sbin/tcpdump -n dst ${some_ip} and dst port 80 on two different but similar (distro, version) servers gives me different capture sizes (65535 bytes for one, 262144 bytes for another).

What might cause this difference in tcpdump capture size? What discrepencies might it cause in resulting data output?

EDIT: ldd $(which tcpdump) has the same output on both servers: =>  (0xdeadbeef) => /lib/x86_64-linux-gnu/ (0xdeadbeef) => /usr/lib/x86_64-linux-gnu/ (0xdeadbeef) => /lib/x86_64-linux-gnu/ (0xdeadbeef) => /lib/x86_64-linux-gnu/ (0xdeadbeef)
    /lib64/ (0xdeadbeef)

Ah, but kernel versions differ, must be something to do with that...

capture size 65535:
    Ubuntu 14.04.4, Linux 3.13.0-85-generic
capture size 262144:
    Ubuntu 14.04.5, Linux 3.13.0-116-generic
asked on Server Fault Jun 12, 2017 by mVChr • edited Jun 12, 2017 by mVChr

1 Answer


Snapshot Length

Look at and search for snapshot-length. The default is based on your version of libpcap or any custom capture driver you are using.

answered on Server Fault Jun 12, 2017 by Aaron

User contributions licensed under CC BY-SA 3.0