> I'm new to the group. Currently I'm trying to write some code to log the
> ppp frames into pcap formatted log files. My question is that from what I
> understand so far. The main data structures I may have to use are.
>
> 1) struct pcap. Whereas linktype, tzoff and snapshot are used when trying
> to open a dump file.
>
> 2) struct pcap_pkthdr, whereas ts, caplen and len are logged as the header
> ahead of the logged packet.
>
> My question is. What kind of value shall I use for the snapshot in struct
> pcap?
If you're saving all the data in the PPP frames to a file, use either
the PPP MTU (i.e., the maximum number of bytes of PPP frame data,
including all PPP headers, being written to the file) or 65535 (meaning
"a lot").
If you're *not* saving all the data in the PPP frames to a file, but are
saving only the first N bytes of data, use N.
> Also how about caplen and len in pcap_pkthdr? My understanding is
> that caplen is the actually data length encapsulate by this header where
> the len is the data length of the real packet. Is that correct?
No.
"len" is the number of bytes that were in the frame, including all
headers; "caplen" is the number of bytes worth of data in the frame
actually written to the file. Various capture programs can be told to
save only the first N bytes of a frame; this means that you can't always
dissect the frames completely, but it means that less CPU time is spent
when capturing, as only the first N bytes of the frame are copied,
rather than the entire frame.
If the snapshot length is greater than or equal to the length of the
frame, "len" and "caplen" are equal, and are the length of the frame.
If the snapshot length is less than the length of the frame, "len" is
the length of the frame, and "caplen" is the snapshot length.
Both of those lengths include all headers that are in the data written
to the file.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
