On Nov 4, 2010, at 11:54 AM, Xiaochun Lu wrote:
> My libpcap version is libpcap_1.2.0.
The latest release from tcpdump.org is 1.1.1. If you build the Git trunk version, it's 1.2.0-PRE-GIT.
What does "dumpcap -v" print?
> xcrp is a network device with
> special link layer header. I guess the problem is libpcap can't
> figure out what it is.
No, it can figure it out, but it probably doesn't realize that the link-layer header doesn't support a link-layer type field of the type it understands - which means that it won't support a TCP-based or UDP-based filter such as "port 123", as it won't even be able to figure out whether a packet is an IP packet.
Is xcrp a regular network device, or is it a device with special support in libpcap? If it's a regular network device, what's its ARPHRD_ value?