> When I then fill in something in the filter field the capture works.
Thank you.
You have just supplied the key bit of information needed.
> Is this intentional?
It's not intentional in our part.
It's probably not intentional on Red Hat's part.
It may not even have been intentional on Alexey Kuznetsov's part, but I
suspect he managed to make libpcap *REQUIRE* that an application using
it install a capture filter, even if it installs an empty one.
(His patched libpcap - Red Hat picked up one of his patches for 6.1 -
has a comment saying
/* Bind only after filter is loaded on socket */
just before it does a "bind()" to specify on which interface it should
listen for packets. If you don't specify a filter, it doesn't do the
bind, so it presumably listens for packets on *no* interface.)
tcpdump *always* adds a filter - if no filter is specified, it installs
an empty filter, which accepts all packets. Ethereal only installs a
filter if the user specified one.
Sigh....
We could work around it by compiling the filter string even if it's
blank, and installing that; this adds some instructions to the code
path, and, besides, it's just Ugly, but at least it'll let you capture
packets on RH 6.1.
(Every day, I grow more eager to teach wiretap to do packet capture,
blow the explosive bolts, and cast libpcap loose to drift into the far
reaches of space....)
