On Wed, Jul 03, 2002 at 10:01:51AM -0700, Bill Fenner wrote: > This is not surprising, since it's libpcap that generates the bpf > program given the tcpdump command line. Your libpcap 0.4 is > IPv4-only, but your libpcap 0.6 knows about IPv6 also (see it > checking for ethertype 0x86dd?)
Furthermore, it looks as if his libpcap 0.4 may be a version that defaults to "cooked mode" capture (e.g., one of the 0.4-plus-Alexey-Kuznezov-modification libpcaps), whereas his libpcap 0.6 is defaulting to raw mode; that might explain the unusual offset in the first instruction, for example (negative offsets, as I remember, are used in the Linux kernel packet filter code to refer to fields in the skbuff (see the code following the /* Handle ancillary data, which are impossible (or very difficult) to get parsing packet contents. */ comment in "sk_run_filter()" in "net/core/filter.c" in the kernel source). - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe