I'm trying to capture packets to diagnose a network application. There are a small number of packets that I want to capture the entire contents for application level protocol analysis, but a large volume of packets that I only need to capture the headers and a few bytes of the payload. This is on a 10 gigabit (and I would like to do 25 gigabit in the future) link and I have had trouble with maintaining capture throughput when I capture everything.
I have looked at tcpdump, dumpcap, and tshark, and none of them seem to have an option to specify a variable snaplen field. Is there a capture tool that can do this? From looking at the output of dumpcap -d
I can see that the return value of the filter is the desired snaplen, or 0 to not capture. But none of these programs seem to take a compiled bfp as input.