[note that tcpdump is now maintained at tcpdump.org; I updated the mailing
list address]
>I am not sure at what point the dump is taken, i.e, whether at
>the ethernet driver (just before putting it on the wire) or at
>the ip layer itself when the ethernet header is not set properly.
>This is because, I see that the destination ethernet header of
>the outgoing packets as 0.
This is not something that's under tcpdump's control; it's the
operating system that does the actual packet capture. For
example, if I run the command
tcpdump -e -x -i wi0 ether multicast
I get the expected results for both received packets:
11:16:03.576106 0:30:c1:c0:1f:eb 1:0:5e:0:1:3c ip 188: 10.0.1.254.svrloc >
HP-DEVICE-DISC.MCAST.NET.svrloc: udp 146
4500 00ae 2441 0000 0411 a4c4 0a00 01fe
e000 013c 01ab 01ab 009a b2f9 0107 0092
0000 656e 0003 0000 0000 0082 2878 2d68
702d 7665 723d 3031 2928 782d 6870 2d70
726f 645f 6964 3d4a 3332 3538 4229 2878
2d68
and transmitted packets:
11:15:59.097186 0:60:1d:f1:45:b7 1:0:5e:3:4:5 ip 98: nectar.attlabs.att.com >
224.3.4.5: icmp: echo request [ttl 1]
4500 0054 a349 0000 0101 8459 ac18 01e6
e003 0405 0800 ff77 ca62 0100 df6b 963b
cb7a 0100 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435
under FreeBSD using BPF. Perhaps someone that knows more about the
packet capture facility in Linux can comment.
Bill
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
