So am I missing something here, or do none of the primitives in snoop_filter.c know about IP observability devices? For instance, I tried to use "snoop -I ipmp0 dhcp", which didn't work -- but "snoop -I ipmp0 udp port 67 or udp port 68" worked fine. Looking at snoop_cature.c, it seems that most of the cases in primary() assume a link-layer header (indeed, many of the options make no sense *without* a link-layer header) and thus get confused.
-- meem
