October 7, 2008

winpcap capture snaplen ONLY functional when a filter is set

Re: [WinPcap-users] snaplen only works when BPF is set ?

Loris Degioanni
Mon, 14 Feb 2005 22:39:35 -0800

Guy Harris wrote:

> phengmaly peter wrote:
>> It seems to me, that the pcap_open_live's snaplen argument has only effect when a BPF filter is set thereafter (pcap_setfilter).
>> Is it the intended functionality ? (both 3.0 and 3.1b4)
> At least on the original systems where BPF was implemented, the snapshot length was supplied by the BPF program; the "return" instruction in BPF includes a snapshot length value, which, if zero, means "discard this packet". On those systems, you need a BPF program to supply a snapshot length.
> The WinPcap driver might follow that model, in which case you'd see that behavior, just as you would, for example, on various BSD systems.

Yes, I confirm that the winpcap driver follows that model.

> On other systems, that's not the case. Perhaps libpcap should, when opening a device, install, on systems where the snapshot length comes from a BPF program, an initial BPF program that consists only of a "return" instruction with the specified snapshot length.

This is a good idea, but I'd leave it for the next winpcap release. We are sort of freezing the development to focus on fixing the last bugs in 3.1, so I'd prefer not to change the interface with libpcap now. The same applies to the "user buffer not emptied after a setfilter" problem.


No comments:

Post a Comment