On Oct 30, 2003, at 4:01 PM, Aaron Turner wrote:
So I've got an old pcap file which I don't remember the actual snaplen used.
Now I know the pcap_file_header keeps a record of this (in my case 144
bytes). What is strange though, is that the file actually has a maximum
of 158 bytes stored (I can see the extra bytes in ethereal).
158-144 = 14, i.e. the length of an Ethernet link-layer header.
Whatever program wrote the file (or whatever version of libpcap it was using) probably put the snapshot length minus the link-layer header length, not the actual snapshot length (which includes the link-layeer header), into the file.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
