Why libpcap captures incomplete packets?

I'm running "tcpdump port 1025 -w out.pcap -s 4000" and all packets sent from loc开发者_Go百科alhost I see "XXX bytes on wire, 54 bytes captured" (only ethernet and tcp headers are captured, data is not captured). Obviously, the snaplen is 4000, therefor I can't figure out why the packet is cut in the middle. I also wrote a program that uses libpcap directly and the same phenomenon occurred. This happened on both libpcap 1.1.1 and 1.2.0rc1, however on libpcap 0.9.8 it worked!

I'm using SLE10 with SP3, and have another computer with exact same OS and programs installed where it works great.

Here's a sample capture.

There's a bug in the libpcap support for Linux's memory-mapped capture mechanism, which is fixed in newer versions; it should be fixed in the trunk and 1.2 branches. That support wasn't present in libpcap 0.x, so it wasn't present in libpcap 0.9.8.