Re: pcap_inject change?

[Steve Bourland <sbourland () swri edu>]

On Tue, 11 Sep 2018, Michael Richardson wrote:

> Steve Bourland <sbourland () swri edu> wrote:
>    > are captured, if called with size argument 60, 74 are captured).  On
>    > matching hardware under Ubuntu 16.04 (libpcap 1.7.4), pcap_inject with
>    > size 50 results in 60 bytes on the wire (expected minimum packet size)
>    > and the padding is all zeros. Both machines are using the same Intel
>    > e1000e driver versions (3.2.6-k).  Has anyone else seen this or have a
>    > workaround?
>
> It sounds like different kernel packet capture mechanisms are being used.
> The pcap_lib_version string will tell you what's compiled in, but not which
> one is used. (TPACKET3 vs 2, etc.)
>
> There was no way in earlier versions of libpcap to even know which was used.
> I thought we had a way in 1.9, but I can't find it... so I think that I'm
> wrong, I'm just remembering that we discussed that we should?
>
> The pcap_lib_version string will tell you what's compiled in, but not which
> one is used.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

OK, as I expected (feared), when I brought the 16.04 machine from kernel 
4.4.0-109 to 4.15.0-34 it started injecting the "extra" 14 bytes, so it 
looks like it is a change in the kernel handling of the injection.  Does 
anyone have any pointers on how to handle this?

Thanks,
Steve
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers