Re: packets captured with pcap_open_live("any",

[rh <rh.forums () verizon net>]

Linux cooked capture; aka SLL.  It's a way of dealing with possible
differences in the link layer across 'any' (i.e., all) devices.

I think the code you want to look at is in pcap-linux.c .

2009/11/16 d00fy <d00fy () 163 com>

> hi all, recently I captured packets from ethernet with libpcap, I found out
> that packets which were caputred with pcap_open_live("any", ...)seem like
> strange, there are two bytes new at mac header, for instance:
> 00 00 00 01 00 06 00 1e     c9 56 f8 a2 f1 00 08 00
> but packets which were captured with pcap_open_live("eth0", ...) are
> normal:
> 00 1e c9 56 f8 a2 00 0c      29 ee fd fd 08 00 45 10
>
> what doe the two bytes mean? where are they from?
>
> OS: ubuntu with kernel 2.6.23
> ps: I changed the kernel to 2.6.24, but problem exsits all the same, the
> two bytes change to another two.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.