 | 1 | initial version |
It appears that the difference is that show_filter_code in dumpcap is calling open_capture_device which eventually calls pcap_create and creates a real pcap_t (it's the same thing called when actually capturing.) Whereas the other places call pcap_open_dead which "open a fake pcap_t for compiling filters or opening a capture for output"
| | 2 | No.2 Revision |
It appears that the difference is that show_filter_code in dumpcap is calling open_capture_device which eventually calls pcap_create and creates a real pcap_t (it's the same thing called when actually capturing.) Whereas the other places call pcap_open_dead which "open a fake pcap_t for compiling filters or opening a capture for output"
edit: Apparently the dumpcap version is correct, see: https://github.com/the-tcpdump-group/libpcap/issues/1513
| | 3 | No.3 Revision |
It appears that the difference is that show_filter_code in dumpcap is calling open_capture_device which eventually calls pcap_create and creates a real pcap_t (it's the same thing called when actually capturing.) Whereas the other places call pcap_open_dead which "open a fake pcap_t for compiling filters or opening a capture for output"
edit: Apparently the dumpcap version is correct, correct (superior), see:
https://github.com/the-tcpdump-group/libpcap/issues/1513
The extra instructions involve the SKF_AD_VLAN_TAG_PRESENT BPF extension that can test whether or not a VLAN tag is present, instead of assuming that it is and always adding the 4 byte offset.
