tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Handling "-x" and "-xx" if the "link-layer header type" includes metadata

From: Guy Harris <guy () alum mit edu>
Date: Fri, 3 Apr 2015 16:45:35 -0700
Somebody got confused by tcpdump on OS X Yosemite defaulting to capturing on all devices simultaneously, meaning that 
it got PKTAP metadata headers:

        http://www.tcpdump.org/linktypes/LINKTYPE_PKTAP.html

and asked about this on SuperUser because the "tcpdump -x" and "tcpdump -xx" output wasn't what they expected, as they 
weren't getting Ethernet headers:

        http://superuser.com/questions/897579/what-does-tcpdump-xx-do-in-mac-os-x/897625

I think a case can be made that "tcpdump -x" should skip both metadata headers and link-layer headers; I don't see any 
issues with doing that.

A case can also be made that "tcpdump -xx" should at least skip metadata headers, although there *might* be scripts, 
for example, that expect to see radiotap headers dumped in hex with "tcpdump -xx", for example.

My inclination would be to have:

        -x mean "skip metadata and link-layer headers";

        -xx mean "skip metadata headers";

        -xxx mean "dump the entire payload, skipping nothing.

Does that seem reasonable?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: