>>>>> "Hrju" == Hrju Blja <[email protected]> writes:
Hrju> Hi, I develop a Linux sniffer application , which uses libpcap
Hrju> 1.2.0 library. The problem is that on some 2.6.16 and 2.4
Hrju> kernel machines, which are pretty much "usual", SOMETIMES SOME
Hrju> packets are captured partially, i.e. tpacket_hdr structure
Hrju> tp_snaplen value is less then tp_len value. I see this right
Hrju> after that libpcap code calls RING_GET_FRAME on pcap_t handle,
Hrju> so my assumption is that libpcap in not "guilt" here, but some
Hrju> kernel infrastructure is.
Hrju> After short investigation I found that in create_ring()
Hrju> function the max frame size is set to MTU size + 18. It did
Hrju> not help, but confused even more - my partial packets are of
Hrju> size much larger then the NIC MTU, e.g MTU size is 1500, while
Hrju> partial packets captured size is 3128, and 3400 on wire .
Another possibility is that you have something in your network stack
which is assembling fragments for you prior to reaching the point where
pcap hook occurs.
I wouldn't expect to see any such thing on a stock kernel, but I have
seen it with various proprietary "firewalls" and bridge interfaces
(VMware used to plug into the network at a bad place, I thought that
this was fixed years ago, however), and also with some vendor's Network
Accelerator/TCP-offload cards.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
