From: Jason Ish <ish@unx.ca>
Date: Thu, 15 Dec 2016 18:36:25 +0000 (-0600)
Subject: log-pcap: use a snaplen of 262144 instead of -1.
X-Git-Tag: suricata-3.2.1~95
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=79a3c6c7b1f1b2a99191ff8df4deb43f12c9c547;p=thirdparty%2Fsuricata.git

log-pcap: use a snaplen of 262144 instead of -1.

Newer versions of libpcap will not open pcap files with a
snaplen of -1, instead use the current maximum value of
262144.

Issue:
https://redmine.openinfosecfoundation.org/issues/1987
---

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 622b30466c..cc309e318a 100644
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -82,6 +82,8 @@
 #define HONOR_PASS_RULES_DISABLED       0
 #define HONOR_PASS_RULES_ENABLED        1
 
+#define PCAP_SNAPLEN                    262144
+
 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
 
 typedef struct PcapFileName_ {
@@ -317,7 +319,7 @@ static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
 
     if (pl->pcap_dead_handle == NULL) {
         if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
-                        -1)) == NULL) {
+                        PCAP_SNAPLEN)) == NULL) {
             SCLogDebug("Error opening dead pcap handle");
             return TM_ECODE_FAILED;
         }