tcpdump mailing list archives
Re: pcap_next() caplen is off by 14 bytes (L2 len)
From: "Aaron Turner" <synfinatic () gmail com>
Date: Sun, 1 Apr 2007 22:35:07 -0700
On 4/1/07, Guy Harris <guy () alum mit edu> wrote:
I've checked into the main and x.9 branches a change that sets the pcap_t's snaplen value to 14 more than the value from the file header if the capture was an Ethernet capture with the modified libpcap (based on the magic number). This isn't ideal - I'd like to do it only if the capture was done in cooked mode - but there's no easy way to determine whether it was a cooked-mode capture or not, so, while that means that a raw-mode Ethernet capture will appear to have a snapshot length 14 more than the real snapshot, that's probably the best we can do. That modified libpcap hasn't, as far as I know, been in any Linux distribution for a while, so there shouldn't be many *more* of those files showing up.
Thanks for looking into this more and coming up with a fix. Is there an ETA for 0.9.6 (which I assume will have this fix?) Thanks, Aaron - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Apr 01)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Apr 01)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Ken Bantoft (Apr 02)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Apr 01)