In reading the man pages for tcpdump, I saw that the -dd arguement would output the dump as a fragment of a C file. In what situations is that useful? I take it this is to quickly include and compile the fragment in a program that will be used to process the data according to code we write ourselves? Does this have its utility with unknown or new protocols? Is there some other common, standing situation in which this is needed? Just curious.
It's useful if you're writing a program using libpcap/WinPcap that would use a filter but that, for whatever reason, wouldn't run pcap_compile() to translate a filter string into BPF machine code; it lets you do the compilation with tcpdump and generate some text that you could use in the initialization of an array of struct bpf_insn (a pointer to which, and a count of elements in which, you'd put in a struct bpf_program).
I'm not sure who would do that, however.