Why libpcap captures incomplete packets?

1
votes

I'm running "tcpdump port 1025 -w out.pcap -s 4000" and all packets sent from localhost I see "XXX bytes on wire, 54 bytes captured" (only ethernet and tcp headers are captured, data is not captured). Obviously, the snaplen is 4000, therefor I can't figure out why the packet is cut in the middle. I also wrote a program that uses libpcap directly and the same phenomenon occurred. This happened on both libpcap 1.1.1 and 1.2.0rc1, however on libpcap 0.9.8 it worked!

I'm using SLE10 with SP3, and have another computer with exact same OS and programs installed where it works great.

Here's a sample capture.

1
network-programminglibpcaptcpdump
Have you tried it with -s0? - Kerrek SB
That's really weird and shouldn't happen. Maybe try it off some live CD, just to be sure that it's a software problem on your end... - Kerrek SB
Just tried it from live CD, it worked. I think it might be an issue of some NIC configuration since I have another computer with same OS and software where tcpdump works (different hardware). Any idea? - Shay

1 Answers

0
votes

There's a bug in the libpcap support for Linux's memory-mapped capture mechanism, which is fixed in newer versions; it should be fixed in the trunk and 1.2 branches. That support wasn't present in libpcap 0.x, so it wasn't present in libpcap 0.9.8.