[tcpdump-workers] Handling "-x" and "-xx" if the "link-layer header type" includes metadata

Guy Harris guy at alum.mit.edu
Fri Apr 3 19:45:35 EDT 2015

Somebody got confused by tcpdump on OS X Yosemite defaulting to capturing on all devices simultaneously, meaning that it got PKTAP metadata headers:


and asked about this on SuperUser because the "tcpdump -x" and "tcpdump -xx" output wasn't what they expected, as they weren't getting Ethernet headers:


I think a case can be made that "tcpdump -x" should skip both metadata headers and link-layer headers; I don't see any issues with doing that.

A case can also be made that "tcpdump -xx" should at least skip metadata headers, although there *might* be scripts, for example, that expect to see radiotap headers dumped in hex with "tcpdump -xx", for example.

My inclination would be to have:

	-x mean "skip metadata and link-layer headers";

	-xx mean "skip metadata headers";

	-xxx mean "dump the entire payload, skipping nothing.

Does that seem reasonable?

More information about the tcpdump-workers mailing list