tcpdump mailing list archives
-e vs. -x, revisited
From: Guy Harris <gharris () sonic net>
Date: Tue, 17 Dec 2002 03:39:15 -0800
On Mon, Dec 16, 2002 at 10:38:43PM -0800, Guy Harris wrote:
On Tue, Dec 17, 2002 at 12:19:18AM -0600, David Young wrote:Hmm. Any reason that -ex and -eX do not dump the link layer data?I don't know why - it may be that somebody considered it A Feature that they don't, or it may be that whoever put in the latter of "-x" or "-e" didn't think of having "-e" affect the behavior of "-x". I'd have no problem with "-ex" and "-eX" dumping the link-layer data, if that wouldn't break somebody's scripts.
We've discussed this before:
http://www.tcpdump.org/lists/workers/2001/11/msg00048.html
"My belief is that if I specify -e, then I want -x to dump from the
beginning of the packet. Of course, this would be another output
change."
http://www.tcpdump.org/lists/workers/2001/11/msg00049.html
"I tend to agree.
In fact, I'm not sure why "-x" and "-X" don't *always* dump from the
beginning of the packet." [along with a case where the fact that
link-layer headers weren't dumped with "-e -x" confused some user]
http://www.tcpdump.org/lists/workers/2001/11/msg00050.html
"Any objections to making that the behaviour in >3.7?"
http://www.tcpdump.org/lists/workers/2001/11/msg00052.html
"> In fact, I'm not sure why "-x" and "-X" don't *always* dump from the
beginning of the packet.
Because you're only sometimes interested in the link layer header ?"
[but that doesn't mean that with "-e" it shouldn't dump from the
beginning of the packet - if you use "-e", you presumably *are*
interested in the link layer header"]
and it was also brought up in
http://www.tcpdump.org/lists/workers/2002/08/msg00036.html
Unless somebody comes up with a good reason *NOT* to make "-e" cause
"-x" and "-X" to dump the link-layer header, it sounds like something we
should do, although, unfortunately, it means changing most if not all
"XXX_if_print()" routines (as the call to "default_print()" generally
passes a pointer and a length that have already been stepped past the
link-layer header, so we'd have to save the original pointer and capture
length in separate variables and step them forward if "eflag" isn't
true, and pass *those* to "default_print()", or put the link-layer
header back before calling "default_print()" if "eflag" is specified).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: New APIs to support multiple DLT_'s on an interface, (continued)
- Re: New APIs to support multiple DLT_'s on an interface Guy Harris (Dec 19)
- Re: New APIs to support multiple DLT_'s on an interface Andrew Brown (Dec 15)
- Re: New APIs to support multiple DLT_'s on an interface Guy Harris (Dec 16)
- Re: New APIs to support multiple DLT_'s on an interface Guy Harris (Dec 16)
- Re: New APIs to support multiple DLT_'s on an interface Andrew Brown (Dec 16)
- Re: New APIs to support multiple DLT_'s on an interface Andrew Brown (Dec 16)
- Re: New APIs to support multiple DLT_'s on an interface Guy Harris (Dec 17)
- Re: New APIs to support multiple DLT_'s on an interface Andrew Brown (Dec 17)
- Re: New APIs to support multiple DLT_'s on an interface David Young (Dec 16)
- Re: New APIs to support multiple DLT_'s on an interface Guy Harris (Dec 16)
- -e vs. -x, revisited Guy Harris (Dec 17)
- Re: -e vs. -x, revisited Andrew Brown (Dec 17)
- Re: Re: -e vs. -x, revisited Guy Harris (Dec 17)
- Re: Re: -e vs. -x, revisited Andrew Brown (Dec 17)
- Re: Re: -e vs. -x, revisited Guy Harris (Dec 18)
- Re: Re: -e vs. -x, revisited Andrew Brown (Dec 18)
- Re: Re: -e vs. -x, revisited Guy Harris (Dec 18)
- Re: Re: -e vs. -x, revisited Andrew Brown (Dec 18)
- Re: Re: -e vs. -x, revisited Guy Harris (Dec 18)
- Re: Re: -e vs. -x, revisited Michael Richardson (Dec 18)
- Re: Re: -e vs. -x, revisited Guy Harris (Dec 19)