On Wed, Jul 03, 2002 at 10:01:51AM -0700, Bill Fenner wrote:
> This is not surprising, since it's libpcap that generates the bpf
> program given the tcpdump command line. Your libpcap 0.4 is
> IPv4-only, but your libpcap 0.6 knows about IPv6 also (see it
> checking for ethertype 0x86dd?)
Furthermore, it looks as if his libpcap 0.4 may be a version that
defaults to "cooked mode" capture (e.g., one of the
0.4-plus-Alexey-Kuznezov-modification libpcaps), whereas his libpcap 0.6
is defaulting to raw mode; that might explain the unusual offset in the
first instruction, for example (negative offsets, as I remember, are
used in the Linux kernel packet filter code to refer to fields in the
skbuff (see the code following the
/* Handle ancillary data, which are impossible
(or very difficult) to get parsing packet contents.
*/
comment in "sk_run_filter()" in "net/core/filter.c" in the kernel
source).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
