Hi, On Linux, the kernel filter code uses negative offsets for some purposes - for example, "inbound" is implemented via "ether[-4092] = 4". Using this mechanism, the user can apply kernel filter methods for which there is no pcap support.
When capturing on an SLL or SLL2 socket, these negative offsets specified by the user are corrupted before installing the filter in the kernel, so they do not mean what they are intended to mean. This means that a filter like "ether[-4092] = 4" will not work on an "-i any" capture, even though it would work if it was not modified. (I am using this mechanism to capture on multiple interfaces, filtering by ifIndex inside the kernel.) My pull request has been stalled since April. I've been rebasing in order to make it easier to accept. https://github.com/the-tcpdump-group/libpcap/pull/820/ Can I request that it get some attention? Thanks, Bill _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers