Guy Harris wrote:
At least on the original systems where BPF was implemented, the snapshot length was supplied by the BPF program; the "return" instruction in BPF includes a snapshot length value, which, if zero, means "discard this packet". On those systems, you need a BPF program to supply a snapshot length.
The WinPcap driver might follow that model, in which case you'd see that behavior, just as you would, for example, on various BSD systems.
Well, I definitely saw it on one BSD system (Mac OS X), and have checked in a fix for BPF systems...
On other systems, that's not the case. Perhaps libpcap should, when opening a device, install, on systems where the snapshot length comes from a BPF program, an initial BPF program that consists only of a "return" instruction with the specified snapshot length.
...which does exactly that.
A similar thing could be done in the WinPcap support code.
================================================================== This is the WinPcap users list. It is archived at http://email@example.com/
To unsubscribe use mailto: [EMAIL PROTECTED]