tcpdump mailing list archives
Re: corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.38
From: Guy Harris <guy () alum mit edu>
Date: Wed, 27 Apr 2011 16:29:59 -0700
On Apr 19, 2011, at 9:15 AM, Sam Roberts wrote:
Does anybody here know what causes this? Am I calling libpcap incorrectly?
Yes:
int snaplen = 0;
...
pcap_t* cap = pcap_open_live(source, snaplen, promisc, to_ms, errbuf);
A snapshot length of 0, in libpcap, doesn't mean "give me the entire packet"; it's not guaranteed to do anything useful. It might get raised to some minimum non-zero length. It means "give me the entire packet" in tcpdump because tcpdump explicitly checks for it and passes in 65535 instead. There's also a bug in 1.1.1 where shorter snapshot lengths don't work for memory-mapped Linux capture; it's fixed in the trunk and the 1.2 branch.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.38 Sam Roberts (Apr 19)
- Re: corrupted frame on kernel ring mac with ubuntu10.10, libpcap 1.1.1, linux 2.6.38 Guy Harris (Apr 27)