Re: tcpdump - prism headers

[David Young <dyoung () pobox com>]

On Tue, Feb 21, 2006 at 06:51:11PM -0800, Guy Harris wrote:
> On Feb 21, 2006, at 6:42 PM, axi wrote:
>
> > When tcpdump receives a packet with prism headers recognized as above
> > :
> >
> > " listening on ath0, link-type PRISM_HEADER (802.11 plus Prism  
> > header),
> > capture size 96 bytes"
> >
> > always prints "[|802.11]", with data, control or administration  
> > packets. The
> > size of packet result from pcap capture seems to be 96 bytes, but  
> > when I
> > capture the same packet with Ethereal, is 240bytes, 96 bytes + 144  
> > bytes of
> > Prism Headers.
>
> Ethereal defaults to a snapshot length of 65535 bytes, meaning, in  
> effect, "capture everything".
>
> Tcpdump defaults to a snapshot length of 68 bytes in versions without  
> IPv6 support, and 96 bytes in versions with IPv6 support, meaning  
> "throw everything past the first {68,96} bytes away".
>
> Given that the Prism header is 144 bytes long, the default snapshot  
> length in tcpdump is completely useless when capturing packets with  
> Prism headers.  (One could perhaps argue that, for link-layer types  
> with radio headers, the snapshot length should be increased by the  
> length of the header; however, for Radiotap, at least, the header  
> length is variable....)

In principle, the radiotap header length is variable, but in practice, it
is virtually always 64 bytes; this is an accomodation for libpcap/tcpdump,
which historically could not handle variable-length headers.  (I haven't
been paying close attention to notice whether libpcap/tcpdump supports
variable lengths, now.)

Dave

-- 
David Young             OJC Technologies
dyoung () ojctech com      Urbana, IL * (217) 278-3933
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.