[Winpcap-users] snaplen in pcap_open_live
Guy Harris
guy at alum.mit.edu
Fri Sep 19 19:44:31 GMT 2008
On Sep 19, 2008, at 9:40 AM, Gianluca Varenni wrote:
> snaplen is used only if you use a capture filter, as the snaplen
> feature is implemented as a filter. This is the standard behavior of
> snaplen on libpcap/winpcap.
...at least on *BSD, Mac OS X, and Windows. In Linux, the return
value of the BPF filter program isn't treated as a snapshot length,
and, on some other platforms, the BPF filter isn't even handed to the
kernel - in those cases, the snapshot length is supplied elsewhere,
which is why the snapshot length might happen to work without a
capture filter on Linux when it doesn't work on Windows (or *BSD or
Mac OS X).
>
> If you want to use snaplen and you don't need a filter, please
> compile an empty filter (i.e. the string "").
Yes. This, arguably, should be fixed, so that, if a snapshot length <
65535 is specified, and no capture filter is specified, a trivial BPF
program (ret {snapshot length}) is installed with BPF and WinPcap.
More information about the Winpcap-users
mailing list