[prev in list] [next in list] [prev in thread] [next in thread]
List: tcpdump-workers
Subject: Re: [tcpdump-workers] corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.
From: Guy Harris <guy () alum ! mit ! edu>
Date: 2011-04-27 23:29:59
Message-ID: 22B92BC8-E81D-4F75-B589-4134111F72AA () alum ! mit ! edu
[Download RAW message or body]
On Apr 19, 2011, at 9:15 AM, Sam Roberts wrote:
> Does anybody here know what causes this? Am I calling libpcap
> incorrectly?
Yes:
> int snaplen = 0;
...
> pcap_t* cap = pcap_open_live(source, snaplen, promisc, to_ms, errbuf);
A snapshot length of 0, in libpcap, doesn't mean "give me the entire packet"; it's \
not guaranteed to do anything useful. It might get raised to some minimum non-zero \
length. It means "give me the entire packet" in tcpdump because tcpdump explicitly \
checks for it and passes in 65535 instead.
There's also a bug in 1.1.1 where shorter snapshot lengths don't work for \
memory-mapped Linux capture; it's fixed in the trunk and the 1.2 branch.- This is the \
tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic