Guy Harris wrote:

At least on the original systems where BPF was implemented, the snapshot length was supplied by the BPF program; the "return" instruction in BPF includes a snapshot length value, which, if zero, means "discard this packet". On those systems, you need a BPF program to supply a snapshot length.

The WinPcap driver might follow that model, in which case you'd see that behavior, just as you would, for example, on various BSD systems.

Well, I definitely saw it on one BSD system (Mac OS X), and have checked in a fix for BPF systems...

On other systems, that's not the case. Perhaps libpcap should, when opening a device, install, on systems where the snapshot length comes from a BPF program, an initial BPF program that consists only of a "return" instruction with the specified snapshot length.

...which does exactly that.

A similar thing could be done in the WinPcap support code.

================================================================== This is the WinPcap users list. It is archived at

To unsubscribe use mailto: [EMAIL PROTECTED]

Reply via email to