On Tue, Feb 21, 2006 at 06:51:11PM -0800, Guy Harris wrote:
>
> On Feb 21, 2006, at 6:42 PM, axi wrote:
>
> >When tcpdump receives a packet with prism headers recognized as above
> >:
> >
> >" listening on ath0, link-type PRISM_HEADER (802.11 plus Prism
> >header),
> >capture size 96 bytes"
> >
> >always prints "[|802.11]", with data, control or administration
> >packets. The
> >size of packet result from pcap capture seems to be 96 bytes, but
> >when I
> >capture the same packet with Ethereal, is 240bytes, 96 bytes + 144
> >bytes of
> >Prism Headers.
>
> Ethereal defaults to a snapshot length of 65535 bytes, meaning, in
> effect, "capture everything".
>
> Tcpdump defaults to a snapshot length of 68 bytes in versions without
> IPv6 support, and 96 bytes in versions with IPv6 support, meaning
> "throw everything past the first {68,96} bytes away".
>
> Given that the Prism header is 144 bytes long, the default snapshot
> length in tcpdump is completely useless when capturing packets with
> Prism headers. (One could perhaps argue that, for link-layer types
> with radio headers, the snapshot length should be increased by the
> length of the header; however, for Radiotap, at least, the header
> length is variable....)
In principle, the radiotap header length is variable, but in practice, it
is virtually always 64 bytes; this is an accomodation for libpcap/tcpdump,
which historically could not handle variable-length headers. (I haven't
been paying close attention to notice whether libpcap/tcpdump supports
variable lengths, now.)
Dave
--
David Young OJC Technologies
[EMAIL PROTECTED] Urbana, IL * (217) 278-3933
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
