Hello, I compiled tcpdump-4.0 with libpcap-1.0 and dumping it for "ip" with captured file from http://wiki.wireshark.org/SampleCaptures#head-8200ea41fe91ebefa1b6ea9f86d344c290241276
I have little confusion for DLT_IEEE802_11, As per my understanding, if ToDS and FromDS flag is on it contains 4th mac address. and network layer should be incremented by 6. http://axp1.csie.ncu.edu.tw/~cmchao/Fall_2007/WN/ch3_802_11_concise.pdf Slide:43. But i don't think its been tested here. Following is the bpf dump. [sha...@~]$ ./tcpdump-4.0.0/tcpdump -r pcap/Network_Join_Nokia_Mobile.pcap -d ip reading from file pcap/Network_Join_Nokia_Mobile.pcap, link-type IEEE802_11 (802.11) (000) ldx #0x0 (001) txa (002) add #24 (003) st M[0] (004) ldb [x + 0] (005) jset #0x8 jt 6 jf 11 (006) jset #0x4 jt 11 jf 7 (007) jset #0x80 jt 8 jf 11 (008) ld M[0] (009) add #2 (010) st M[0] (011) ldb [0] (012) jset #0x4 jt 19 jf 13 (013) ldb [0] (014) jset #0x8 jt 15 jf 19 (015) ldx M[0] (016) ldh [x + 6] (017) jeq #0x800 jt 18 jf 19 (018) ret #2344 (019) ret #0 -- Thanks Sharad Chandra - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.