(This is a libpcap issue, and, as such, should go to [EMAIL PROTECTED] rather than ethereal-dev.
Note also that "[EMAIL PROTECTED]", mail to which is forwarded to "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]", is on ethereal-dev, ethereal-users, and tcpdump-workers, so there is no need to mail to "[EMAIL PROTECTED]", "[EMAIL PROTECTED]", or "[EMAIL PROTECTED]" if you're sending mail to any of those three lists.) On Wed, Apr 10, 2002 at 05:52:26PM +0800, Hans wrote: > What the matter? There's a bug in the libpcap code generator for link-layer types that use 802.2 LLC; I will look at fixing that when I have time to look at it at home. (There's more to fixing it than one might naively think; the code cannot assume that SNAP is being used, as "off_nl" is used for OSI protocol filters as well.) > In addition, I want the filter to return the entire frame, not > just the frame header. The default snapshot length in tcpdump is 68 bytes, or 0x44, so, by default, tcpdump just gets the first 68 bytes of a frame. If you want the entire frame, you must tell tcpdump to give you the entire frame, with the "-s" flag - "-s 0" should do (Gilbert added support for "0" as an argument to "-s", meaning "use 65535", in 0.6, I think). > I may replace 0x00000044 with 0x0000ffff. If this is in your own program, then you need to pass a snapshot length of 65535 to "pcap_open_live()" or "pcap_open_offline()" or "pcap_open_dead()", so that "pcap_compile()" will generate "ret #65535" rather than "ret #68". - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
