(This is a libpcap issue, and, as such, should go to
tcpdump-workers@xxxxxxxxxxx rather than ethereal-dev.
Note also that "guy@xxxxxxxxxxxx", mail to which is forwarded to
"guy@xxxxxxxxxx" and "gharris@xxxxxxxxx", is on ethereal-dev,
ethereal-users, and tcpdump-workers, so there is no need to mail to
"guy@xxxxxxxxxxxx", "guy@xxxxxxxxxx", or "gharris@xxxxxxxxx" if you're
sending mail to any of those three lists.)
On Wed, Apr 10, 2002 at 05:52:26PM +0800, Hans wrote:
> What the matter?
There's a bug in the libpcap code generator for link-layer types that
use 802.2 LLC; I will look at fixing that when I have time to look at it
at home. (There's more to fixing it than one might naively think; the
code cannot assume that SNAP is being used, as "off_nl" is used for OSI
protocol filters as well.)
> In addition, I want the filter to return the entire frame, not
> just the frame header.
The default snapshot length in tcpdump is 68 bytes, or 0x44, so, by
default, tcpdump just gets the first 68 bytes of a frame.
If you want the entire frame, you must tell tcpdump to give you the
entire frame, with the "-s" flag - "-s 0" should do (Gilbert added
support for "0" as an argument to "-s", meaning "use 65535", in 0.6, I
think).
> I may replace 0x00000044 with 0x0000ffff.
If this is in your own program, then you need to pass a snapshot length
of 65535 to "pcap_open_live()" or "pcap_open_offline()" or
"pcap_open_dead()", so that "pcap_compile()" will generate "ret #65535"
rather than "ret #68".
