> I was reading a response saying something about the
> filtering in tcpdump with -r option (savefile) is
> different than the regular live capture.
>
> Is that what libpcap does?
The filtering is done by libpcap.
> And what is the difference specifically?
Well, I don't know to which response you're referring, but if it's the
one about the netmask, the difference is that:
in a live capture, those filter expressions that depend on the
netmask (i.e., filter expressions that check for a broadcast IP
address) use the netmask reported for that interface at the time
the filter expression is compiled;
when reading a capture file, those filter expressions use a
netmask of 0.
> Also why ;-)
Because, when reading a savefile, there is no way for tcpdump or libpcap
to determine the netmask of the interface on which the capture was done
- the netmask isn't stored in the capture file. (No, saving the name of
the interface isn't sufficient - the capture might have been done on a
completely different machine.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
