tcpdump mailing list archives
Re: Output goes weird!
From: Guy Harris <guy () alum mit edu>
Date: Thu, 11 Sep 2003 16:06:13 -0700
On Sep 11, 2003, at 2:47 PM, csmjmr () bath ac uk wrote:
The non-printable characters problem is fixed. I fixed it by setting the snaplen to 2048.
That's not a fix, that just hides the problem - your program should, for safety's sake, check the "caplen" field of the pcap_pkthdr structure, and not look at any bytes past that length. (Yes, if you're capturing on a network where packets are never > 2048 bytes, you *should* be safe - but, just in case the packet is somehow malformed, you should *still* do that check.)
The packet dropping is a separate problem. I used TCPDUMP to tell me wether packets were being dropped... at the end where it gives number received and number dropped by kernel.
Note that a zero value for the number dropped by the kernel doesn't necessarily mean none were dropped by the kernel - it just means that none were *reported* as being dropped by the kernel, or they were reported but libpcap wasn't able to pick up that report.
On systems with BPF, such as FreeBSD, the number dropped by the kernel should always be reported and that report should be picked up by libpcap.
On Linux systems, however, the number of packets dropped by the kernel is reported only if you have a kernel that supports the PACKET_STATISTICS "getsockopt()" option for PF_PACKET sockets; I don't know when that first appeared, but I think it's a 2.4 feature. That report is picked up by libpcap only if it's a sufficiently recent version of libpcap and it was built on a system with PACKET_STATISTICS support. I don't know which distributions have that, but if your libpcap doesn't report any packets dropped on Linux, it might be reporting something that's not true.
Are you using a packet filter expression when capturing? I.e., does your program do a "pcap_compile()" and a "pcap_setfilter()"?
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Output goes weird! Justin Robinson (Sep 10)
- Re: Output goes weird! Michael Richardson (Sep 10)
- Re: Output goes weird! Justin Robinson (Sep 10)
- Re: Output goes weird! Guy Harris (Sep 10)
- Re: Output goes weird! (Sep 11)
- Re: Output goes weird! Guy Harris (Sep 11)
- Re: Output goes weird! (Sep 11)
- Re: Output goes weird! Guy Harris (Sep 11)
- Re: Output goes weird! (Sep 12)
- Re: Output goes weird! Justin Robinson (Sep 10)
- Re: Output goes weird! Michael Richardson (Sep 10)
- Re: Output goes weird! Michael Richardson (Sep 11)
- <Possible follow-ups>
- Fw: Output goes weird! Justin Robinson (Sep 13)
- Message not available
- Re: Output goes weird! Justin Robinson (Sep 14)
- Re: Output goes weird! Richard Sharpe (Sep 14)
- Message not available