On Tue, May 21, 2002 at 03:38:06PM -0300, Fernando Hwang wrote:
> Can I capture only the header of the packets, not the whole packet?
There's no such thing as "the" header of the packets. For example, a
packet that's part of a Telnet session running over Ethernet has:
an Ethernet header;
an IPv4 header or IPv6 headers;
a TCP header;
the Telnet data;
in it. None of those three headers is "the" header; it's just "a"
header.
Ethereal - and tcpdump, and various other programs do not themselves
include code to capture packets; it uses the libpcap library, which, in
turn, uses mechanisms in the OS (or in WinPcap, on Windows) to capture
packets. Those OS mechanisms do not include anything to allow a program
to capture only specific headers.
You can, however, specify that only the first N bytes of the packet
should be captured; as the packet headers may be variable-length (some
link-layers, such as Token Ring and IEEE 802.11, may have
variable-length headers, IPv4 and TCP headers may have options, and IPv6
may add multiple headers to a packet), and as different packets may have
different headers (some packets, such as ARP packets, might have only an
Ethernet header, and some IP packets might have TCP headers while others
have UDP headers or ICMP headers or OSPF headers or...), this cannot
guarantee that you will see only specific headers (unless you make it
*so* small that it captures only the link-layer header on a network with
fixed-length link-layer headers, but the OS mechanisms also don't let
you set the capture length that low), but if your *real* goal is to
reduce the amount of captured data and the size of the capture file,
that will probably be sufficient.
