netbsd-users: Re: pflog on NetBSD

Subject: Re: pflog on NetBSD
To: yamt@netbsd.org, Chuck Swiger <cswiger@mac.com>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: netbsd-users
Date: 09/15/2006 22:15:43

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1356962310-1158372375=:41854
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; FORMAT=flowed
Content-Transfer-Encoding: 8BIT
Content-ID: <20060915220628.J41854@arbitor.digitalfreaks.org>


On the same subject, has anyone noticed the different format of pflog(4) 
on NetBSD v.s. OpenBSD.  Specifically, for ICMP/TCP/UDP, the type/port is 
absent from the source/destination address:

  OpenBSD pflog(4) line:

Sep 15 21:47:46.420650 rule 0/(match) block out on vlan40: 
206.210.89.202.62343 > 67.72.4.94.80: R 1515499462:1515499462(0) ack 
2101925191 win 0

  NetBSD pflog(4) line:

015133 rule 0/0(match): block in on fxp0: IP 206.210.112.118 > 
206.210.72.83: [|tcp]

TCP/UDP port = missing

This is with: # tcpdump -ttt -e -vvv -i pflog0 -e -n on both.

I'll open a PR.

~BAS

On Tue, 21 Jun 2005, Rubén González Arnau wrote:

> On Tue, Jun 21, 2005 at 07:12:24PM +0200, Rubén González Arnau wrote:
>> Hi all,
>>
>> I've got an error when I try to see information via tcdump (pflog
>> loggin)
>>
>> So, I use exactly these packages,
>>
>> 1) tcpdump-3.8.3nb3
>>
>> 2) libpcap-0.8.3
>>
>> 3) pflkm-20050511
>>
>> When I use tcpdump, I see this error
>>
>> sw2:~# tcpdump -i pflog0
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: libpcap: unknown data link type 0x75
>>
>> My NetBSD version is 2.0.2, any idea?
>>
>> Thanks in advance!
>>
>> --
>> rga@sdf.lonestar.org
>> SDF Public Access UNIX System - http://sdf.lonestar.org
>
> The  pftcpdump works very well.
>
> Thanks!!
>
> -- 
> rga@sdf.lonestar.org
> SDF Public Access UNIX System - http://sdf.lonestar.org
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."
--0-1356962310-1158372375=:41854--