[Coral-dev] crl_to_pcap and snaplen

[Ken Keys]

On Mon, Nov 25, 2002 at 04:34:18PM -0500, Chris Rapier wrote:
> 
> Ken Keys wrote:
> >On Mon, Nov 25, 2002 at 02:50:50PM -0500, Chris Rapier wrote:
> >
> >>I've been trying to get the latest revision of coralreef to only capture 
> >>the 1st 48 bytes of each packet on a live pcap interface. I thought I 
> >>would use something like -C'm=48' or 'iomode=\!user' and various 
> >>combinations but I still seem to be capturing payload data as well. Is 
> >>there a way to do this on a live pcap interface (SysKonnect GigE card) or 
> >>should I just resort to tcpdump?
> >
> >
> >The -Cm=48 should work as expected on live pcap interfaces, capturing
> >only the first 48 bytes of each packet. 
> 
> nope, not working.
> /usr/local/Coral/bin/crl_to_pcap -C'duration=5' -Cm=48 -r -o foo if:sk0
> 
> If I then run strings against foo I see html headers, bits of email, and so 
> forth - which leads me to believe that far more that the first 48 bytes are 
> being snagged.

Ok, I've found the problem; the workaround is to supply a bpf filter
(e.g., "-C'filter ip'"; or if you really want everything, use a filter
that matches everything, e.g. "-C'filter ip or !ip'").

Explanation:  snaplen truncation is done by the code that applies the
bpf filter, not by the libpcap code that reads packets.  The reason
tcpdump works without a filter but coral does not is that even when you
don't give tcpdump a filter it still effectively applies an empty filter,
whereas coral does not apply any filter at all.

-- 
Ken Keys
kkeys@caida.org
CoralReef:  http://www.caida.org/tools/measurement/coralreef/