mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
fcd735cecd
The pcap file format has a global header and a header per packet. The global header of the pcap in question had a snaplen of 1, but with packet headers indicating the full number of bytes saved within the file. It seems like the pcap file must of been artifically edited in order for it to be this way. When reporting the captured length of a packet, Apple's version of libpcap now seems to report the full number of bytes saved within the pcap's per-packet headers, but other versions seem to report the snaplen from the global pcap header. This caused the core.truncation test to behave differently on macOS from other platforms. I've manually hexedit'd the pcap so that the snaplen is still 1, but contains just a single packet with a pcap header indicating a length of 8, which is less than the size of the link layer header and so should still test the original code path that the unit test intended to exercise.
49 B
49 B