Libpcap of version 1.0.0 and greater uses mmap with kernel space ring buffer.
You may see the following comments in create_ring() function, which creates this
ring and populates it with fixed size frames:
" * So, for now, we just do this for Ethernet devices, where
* there's no metadata header, and the link-layer header is
* fixed length. We can get the maximum packet size by
* adding 18, the Ethernet header length plus the CRC length
* (just in case we happen to get the CRC in the packet), to
* the MTU of the interface; we fetch the MTU in the hopes
* that it reflects support for jumbo frames. (Even if the
* interface is just being used for passive snooping, the driver
* might set the size of buffers in the receive ring based on
* the MTU, so that the MTU limits the maximum size of packets
* that we can receive.)
*
* We don't do that if segmentation/fragmentation or receive
* offload are enabled, so we don't get rudely surprised by
* "packets" bigger than the MTU. */
"
It may explain both your and my issues. But it does not provide any solution.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
