From 0938e84fadd2e831ea8b085169839d80860ff5a5 Mon Sep 17 00:00:00 2001
From: Hang Yan <yhang@vmware.com>
Date: Tue, 12 Nov 2024 12:06:43 +0800
Subject: [PATCH] Fix packetcapture packets unrecognized issue on osx.

By default, gopacket will write snap length=0 in the pcapng file
header, means unlimited snaplen. tcpdump on osx(libpcap version 1.10.1)
cannot recognize this and will report error. This patch will set
a default value(524288) for it.

Signed-off-by: Hang Yan <yhang@vmware.com>
---
 pkg/agent/packetcapture/packetcapture_controller.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/agent/packetcapture/packetcapture_controller.go b/pkg/agent/packetcapture/packetcapture_controller.go
index 3691f0cd895..93d15e4875d 100644
--- a/pkg/agent/packetcapture/packetcapture_controller.go
+++ b/pkg/agent/packetcapture/packetcapture_controller.go
@@ -449,7 +449,14 @@ func (c *Controller) performCapture(
 	if err != nil {
 		return false, err
 	}
-	pcapngWriter, err := pcapgo.NewNgWriter(file, layers.LinkTypeEthernet)
+
+	// set SnapLength here to make tcpdump on Mac OSX works. By default, its value is
+	// 0 and means unlimited, but tcpdump on Mac OSX will complain:
+	// 'tcpdump: pcap_loop: invalid packet capture length <len>, bigger than snaplen of 524288'
+	defaultNgInterface := pcapgo.DefaultNgInterface
+	defaultNgInterface.SnapLength = 524288
+	defaultNgInterface.LinkType = layers.LinkTypeEthernet
+	pcapngWriter, err := pcapgo.NewNgWriterInterface(file, defaultNgInterface, pcapgo.DefaultNgWriterOptions)
 	if err != nil {
 		return false, fmt.Errorf("couldn't initialize a pcap writer: %w", err)
 	}