[Winpcap-users] snaplen in pcap_open_live

Carlo Medas carlomedas at gmail.com
Sat Sep 20 15:15:42 GMT 2008

Dear Guy and Gianluca,
thank you very much for prompt reply; with you suggested correction it
worked perfectly on all platforms.

Keep up the amazing work.



On Fri, Sep 19, 2008 at 9:44 PM, Guy Harris <guy at alum.mit.edu> wrote:

> On Sep 19, 2008, at 9:40 AM, Gianluca Varenni wrote:
>  snaplen is used only if you use a capture filter, as the snaplen feature
>> is implemented as a filter. This is the standard behavior of snaplen on
>> libpcap/winpcap.
> ...at least on *BSD, Mac OS X, and Windows.  In Linux, the return value of
> the BPF filter program isn't treated as a snapshot length, and, on some
> other platforms, the BPF filter isn't even handed to the kernel - in those
> cases, the snapshot length is supplied elsewhere, which is why the snapshot
> length might happen to work without a capture filter on Linux when it
> doesn't work on Windows (or *BSD or Mac OS X).
>> If you want to use snaplen and you don't need a filter, please compile an
>> empty filter (i.e. the string "").
> Yes.  This, arguably, should be fixed, so that, if a snapshot length <
> 65535 is specified, and no capture filter is specified, a trivial BPF
> program (ret {snapshot length}) is installed with BPF and WinPcap.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080920/d8750a9d/attachment.htm

More information about the Winpcap-users mailing list