On Feb 21, 2006, at 6:42 PM, axi wrote:
When tcpdump receives a packet with prism headers recognized as above
:
" listening on ath0, link-type PRISM_HEADER (802.11 plus Prism
header),
capture size 96 bytes"
always prints "[|802.11]", with data, control or administration
packets. The
size of packet result from pcap capture seems to be 96 bytes, but
when I
capture the same packet with Ethereal, is 240bytes, 96 bytes + 144
bytes of
Prism Headers.
Ethereal defaults to a snapshot length of 65535 bytes, meaning, in
effect, "capture everything".
Tcpdump defaults to a snapshot length of 68 bytes in versions without
IPv6 support, and 96 bytes in versions with IPv6 support, meaning
"throw everything past the first {68,96} bytes away".
Given that the Prism header is 144 bytes long, the default snapshot
length in tcpdump is completely useless when capturing packets with
Prism headers. (One could perhaps argue that, for link-layer types
with radio headers, the snapshot length should be increased by the
length of the header; however, for Radiotap, at least, the header
length is variable....)
So, it seems that libpcap cut prism headers,
...because it was told to by tcpdump, and that was because tcpdump
wasn't told *not* to tell it to do so.
If you run modern versions of tcpdump with the flag "-s 0", they'll
use a snapshot length of 65535 bytes. (Older versions require "-s
65535", but I suspect most systems have modern versions these days.)
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
