tcpdump can do 99.9% of it's job by only inspecting the headers, and 116 bytes
continues to cover those cases.

If you want to see the whole packet, you use that.

Copying full packets into userland in all cases, makes no sense.  That
is not what this tool is for.  If you want to see the whole packet, you know
your use case, and you use the option.

Lloyd <ng2d68@proton.me> wrote:

> tcpdump on OpenBSD is unique in that it uses a very small default snaplen value of 116 bytes. That current default was committed in 2009 and hasn't changed since. This often results in truncated protocol info from packets when running with default options.
> 
> tcpdump on NetBSD, FreeBSD, Apple, and Linux all use a default of 262144 (256 KiB).
> 
> Before I submit a patch I'd like to understand if there is a technical reason why this value is kept so small and if it's worthy of another bump 16 years later to bring it in line with mainstream tcpdump implementations.
> 
> Regards
> Lloyd
>