On Apr 19, 2011, at 9:15 AM, Sam Roberts wrote:
> Does anybody here know what causes this? Am I calling libpcap
> incorrectly?
Yes:
> int snaplen = 0;
...
> pcap_t* cap = pcap_open_live(source, snaplen, promisc, to_ms, errbuf);
A snapshot length of 0, in libpcap, doesn't mean "give me the entire packet";
it's not guaranteed to do anything useful. It might get raised to some minimum
non-zero length. It means "give me the entire packet" in tcpdump because
tcpdump explicitly checks for it and passes in 65535 instead.
There's also a bug in 1.1.1 where shorter snapshot lengths don't work for
memory-mapped Linux capture; it's fixed in the trunk and the 1.2 branch.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
