Re: corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.38

[Guy Harris <guy () alum mit edu>]

On Apr 19, 2011, at 9:15 AM, Sam Roberts wrote:

> Does anybody here know what causes this? Am I calling libpcap
> incorrectly?

Yes:

>    int snaplen = 0;

        ...

>    pcap_t* cap = pcap_open_live(source, snaplen, promisc, to_ms, errbuf);

A snapshot length of 0, in libpcap, doesn't mean "give me the entire packet"; it's not guaranteed to do anything 
useful.  It might get raised to some minimum non-zero length.  It means "give me the entire packet" in tcpdump because 
tcpdump explicitly checks for it and passes in 65535 instead.

There's also a bug in 1.1.1 where shorter snapshot lengths don't work for memory-mapped Linux capture; it's fixed in 
the trunk and the 1.2 branch.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.