Re: tcpdump - prism headers

[Guy Harris <guy () alum mit edu>]

On Feb 21, 2006, at 6:42 PM, axi wrote:

> When tcpdump receives a packet with prism headers recognized as above
> :
>
> " listening on ath0, link-type PRISM_HEADER (802.11 plus Prism  
> header),
> capture size 96 bytes"
>
> always prints "[|802.11]", with data, control or administration  
> packets. The
> size of packet result from pcap capture seems to be 96 bytes, but  
> when I
> capture the same packet with Ethereal, is 240bytes, 96 bytes + 144  
> bytes of
> Prism Headers.

Ethereal defaults to a snapshot length of 65535 bytes, meaning, in  
effect, "capture everything".

Tcpdump defaults to a snapshot length of 68 bytes in versions without  
IPv6 support, and 96 bytes in versions with IPv6 support, meaning  
"throw everything past the first {68,96} bytes away".

Given that the Prism header is 144 bytes long, the default snapshot  
length in tcpdump is completely useless when capturing packets with  
Prism headers.  (One could perhaps argue that, for link-layer types  
with radio headers, the snapshot length should be increased by the  
length of the header; however, for Radiotap, at least, the header  
length is variable....)

> So, it seems that libpcap cut prism headers,

...because it was told to by tcpdump, and that was because tcpdump  
wasn't told *not* to tell it to do so.

If you run modern versions of tcpdump with the flag "-s 0", they'll  
use a snapshot length of 65535 bytes.  (Older versions require "-s  
65535", but I suspect most systems have modern versions these days.)

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.