Theo de Raadt wrote:

> tcpdump can do 99.9% of it's job by only inspecting the headers, and 116
> bytes continues to cover those cases.

Fair enough.

I was curious of the history as the tcpdump in base is an older fork.

It turns out the value chosen in the TCPDump Group's tcpdump is somewhat
arbitrary, and related to Linux loopback packet sizes (64k) and USB packets
captured with USBpcap, so the dart board fell on 256k.

The default was redefined from 96 in 4.0 to the maximum of 64k in tcpdump
4.1, and the maximum was then quadrupled in tcpdump 4.6 with the comment:

/* XXX - does it need to be bigger still? */

(Dear mother, please send more memory.)