tcpdump -dd output doesn't match pcap_compile_nopcap

Question

When I create a packet filter (eg for only tcp traffic) with

tcpdump -dd tcp

the packet filter output is

{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 2, 0x000086dd },
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 3, 4, 0x00000006 },
{ 0x15, 0, 3, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 1, 0x00000006 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },

But when I do the same programatically;

pcap_compile_nopcap(1500, DLT_EN10MB, &fcode, "tcp", 1, 0);
struct bpf_insn *insn = fcode.bf_insns;

for (i = 0; i < fcode.bf_len; ++insn, ++i)
{
  printf("{ 0x%x, %d, %d, 0x%08x },\n",
     insn->code, insn->jt, insn->jf, insn->k);
}

I get the following packet filter output:

{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 5, 0x000086dd },
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 6, 0, 0x00000006 },
{ 0x15, 0, 6, 0x0000002c },
{ 0x30, 0, 0, 0x00000036 },
{ 0x15, 3, 4, 0x00000006 },
{ 0x15, 0, 3, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 1, 0x00000006 },
{ 0x6, 0, 0, 0x000005dc },
{ 0x6, 0, 0, 0x00000000 },

Why are the two packet filters different?

Answer 1

Probably because the tcpdump on your system is built with an older version of libpcap than your program. The tcpdump on your system is probably using a libpcap without this change:

commit 58275c05a5cf9c3512bcbb1192ff351d32ccccbd
Author: Guy Harris <guy@alum.mit.edu>
Date:   Thu Sep 1 22:21:45 2011 -0700

    Handle some amount of IPv6 fragmentation.

    If we're checking for a particular protocol running on top of IPv6, and
    we're not doing full protocol-chain chasing for all "running on top of
    IPv6" tests, at least check for a fragmentation header before the header
    for the protocol.

and your program is probably using a libpcap with that change. That change went into libpcap somewhere in the libpcap 1.3.x timeframe.