tcpdump mailing list archives
Re: packets captured with pcap_open_live("any",
From: rh <rh.forums () verizon net>
Date: Mon, 16 Nov 2009 05:27:17 -0500
Linux cooked capture; aka SLL. It's a way of dealing with possible differences in the link layer across 'any' (i.e., all) devices. I think the code you want to look at is in pcap-linux.c . 2009/11/16 d00fy <d00fy () 163 com>
hi all, recently I captured packets from ethernet with libpcap, I found out that packets which were caputred with pcap_open_live("any", ...)seem like strange, there are two bytes new at mac header, for instance: 00 00 00 01 00 06 00 1e c9 56 f8 a2 f1 00 08 00 but packets which were captured with pcap_open_live("eth0", ...) are normal: 00 1e c9 56 f8 a2 00 0c 29 ee fd fd 08 00 45 10 what doe the two bytes mean? where are they from? OS: ubuntu with kernel 2.6.23 ps: I changed the kernel to 2.6.24, but problem exsits all the same, the two bytes change to another two. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- packets captured with pcap_open_live("any", ...) seem like strange d00fy (Nov 16)
- Re: packets captured with pcap_open_live("any", rh (Nov 16)
- Re: packets captured with pcap_open_live("any", ...) seem like strange Guy Harris (Nov 16)
- Re: packets captured with d00fy (Nov 16)