On Sun, Feb 02, 2003 at 01:11:23PM -0800, Guy Harris wrote:
> One such problem was mentioned in this libpcap bug report:
>
> http://sourceforge.net/tracker/index.php?func=detail&aid=673958&group_id=53067&atid=469577
>
> The bug complains that packet drops aren't reported as such by libpcap,
> even though the packets *are* dropped. The bug *also* says that more
> changes are needed in order not to drop packets at all.
>
> Note that, at least according to "truss", "snoop":
>
> 1) does *not* set the SB_NO_DROPS flag;
>
> 2) *does* set the chunk size with SBIOCSCHUNK, although I don't
> know what it sets the chunk size to;
>
> whereas libpcap does set SB_NO_DROPS and does not set the chunk size.
> It might be that snoop setting the chunk size and libpcap not doing so
> makes a difference.
I've checked into the libpcap source tree the changes suggested by that
bug report; it no longer sets SB_NO_DROPS, and sets the chunk size to
the recommended value, which happens to be the value that snoop uses.
If you download the current CVS version of libpcap from
http://www.tcpdump.org/
by going to that page and downloading "libpcap-current.tar.gz" from the
"Current tar files" section, build and install that version of libpcap,
and then build Ethereal from source, linking it with that version of
libpcap, the resulting Ethereal might do a better job of capturing
packets than a version linked with any of the released versions of
libpcap.
