When doing Linux mmapped capture:
Allocate a buffer into which to copy a packet, and have the
callback for pcap_next() and pcap_next_ex() copy to that buffer
and return a pointer to that buffer; we can't return the packet
data pointer passed to the callback, as, once the callback
returns, that buffer can be overwritten, even before you read
the next packet.
Don't tweak filter programs passed into the kernel to return
65535 on success - we don't have to, as we're not reading
packets with recvfrom(), and we don't want to, as, if we return
the actual snapshot length, the kernel will copy less data to
the ring buffer.
Truncate the packet snapshot length to the specified length, as
we might not have a filter to do that.
3 files changed
