By the way, is there some compelling reason why "dump_and_trunc()", and the routines it uses, are in a separate file, rather than being in "tcpdump.c"?
And shouldn't "dump_and_trunc()" just call "pcap_dump()" to write the record to the capture file, rather than copying the code in "pcap_dump()"? (For one thing, the members of the "ts" field in a "struct pcap_pkthdr" are whatever size the OS makes them, but the members of the "ts" field in a "struct pcap_sf_pkthdr" are 32 bits, so that the format of the capture files on disk doesn't depend on whether the platform writing the capture has 32-bit or 64-bit fields in a "struct timeval"; "pcap_dump()" handles this, but "dump_and_trunc()" doesn't.) Also, "dump_and_trunc()", when rotating over to the next capture file, closes the currently-open output file and opens a new one, but doesn't tell its caller (or other routines up the call tree) about it. This might happen to work, as the same "FILE" structure might get reused, but it still looks unsafe. Perhaps the result of the original "pcap_dump_open()" should be given static storage duration (and static storage class if we move "dump_and_trunc()" to "tcpdump.c"), and "dump_and_trunc()" should store the result of "pcap_dump_open()" there. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
