[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tcpdump-workers
Subject:    Re: [tcpdump-workers] corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.
From:       Guy Harris <guy () alum ! mit ! edu>
Date:       2011-04-27 23:29:59
Message-ID: 22B92BC8-E81D-4F75-B589-4134111F72AA () alum ! mit ! edu
[Download RAW message or body]


On Apr 19, 2011, at 9:15 AM, Sam Roberts wrote:

> Does anybody here know what causes this? Am I calling libpcap
> incorrectly?

Yes:

> int snaplen = 0;

	...

> pcap_t* cap = pcap_open_live(source, snaplen, promisc, to_ms, errbuf);

A snapshot length of 0, in libpcap, doesn't mean "give me the entire packet"; it's \
not guaranteed to do anything useful.  It might get raised to some minimum non-zero \
length.  It means "give me the entire packet" in tcpdump because tcpdump explicitly \
checks for it and passes in 65535 instead.

There's also a bug in 1.1.1 where shorter snapshot lengths don't work for \
memory-mapped Linux capture; it's fixed in the trunk and the 1.2 branch.- This is the \
tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.


[prev in list] [next in list] [prev in thread] [next in thread]