Somebody got confused by tcpdump on OS X Yosemite defaulting to capturing on
all devices simultaneously, meaning that it got PKTAP metadata headers:
http://www.tcpdump.org/linktypes/LINKTYPE_PKTAP.html
and asked about this on SuperUser because the "tcpdump -x" and "tcpdump -xx"
output wasn't what they expected, as they weren't getting Ethernet headers:
http://superuser.com/questions/897579/what-does-tcpdump-xx-do-in-mac-os-x/897625
I think a case can be made that "tcpdump -x" should skip both metadata headers
and link-layer headers; I don't see any issues with doing that.
A case can also be made that "tcpdump -xx" should at least skip metadata
headers, although there *might* be scripts, for example, that expect to see
radiotap headers dumped in hex with "tcpdump -xx", for example.
My inclination would be to have:
-x mean "skip metadata and link-layer headers";
-xx mean "skip metadata headers";
-xxx mean "dump the entire payload, skipping nothing.
Does that seem reasonable?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
