Re: pcap files with file header snaplen < packet

["Aaron Turner" <synfinatic () gmail com>]

On 12/5/06, Jefferson Ogata <Jefferson.Ogata () noaa gov> wrote:
> Aaron Turner wrote:
> > Perhaps I'm confused... how does an application using the libpcap API
> > get access to the snaplen?   I don't see any way to do that.
>
> int pcap_snapshot (pcap_t *)

Ah... there it is.  Doh.

> > Furthermore, all the libpcap functions seem to return a pointer to the
> > packet buffer, and said buffer is allocated by libpcap, not the
> > application.  I guess I don't see the danger.
>
> Yes, but an application could have allocated another buffer to copy that
> into based on snap. Of course it should check caplen, but there are a
> lot of lousy programmers out there.

True.   Perhaps by always returning 65535 (or whatever the max
snapshot is) would prevent bad things from happening.

> Like I say, I could go either way. But I think there is a potential problem.

Definitely.  Of course it would be nice for people who don't write
crappy code to be able to be able to handle this gracefully rather
then telling their users they're SOL.  Maybe yet another pcap function
ala pcap_next()/pcap_next_ex()?   Honestly, I'd really rather not
introduce yet another function to read packets from libpcap.  Again,
maybe hardcoding pcap_snapshot() might be viable?

--
Aaron Turner
http://synfin.net/
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.