Subject: Re: pflog on NetBSD
To: Jeremy C. Reed <email@example.com>
From: Brian A. Seklecki <firstname.lastname@example.org>
Date: 09/19/2006 09:42:38
Interesting, same results with newer version:
/usr/pkgsrc/net/tcpdump/work/tcpdump-3.9.4$ ./tcpdump -V
tcpdump version 3.9.4
libpcap version 0.9.4
$ /usr/sbin/tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3
$ sudo ./tcpdump -n -e -ttt -i pflog0 -vvv
344315 rule 0/0(match): block in on le0: (tos 0x0, ttl 63, id 61456,
offset 0, flags [DF], proto: TCP (6), length: 64) 220.127.116.11 >
I'll have to have a look at how OpenBSD has patched print-pf.c, which is
almost a certainty given the version diff:
$u@s/home/seklecki$ tcpdump -V
tcpdump version 3.4.0
libpcap version 0.5
On Fri, 15 Sep 2006, Jeremy C. Reed wrote:
>> On the same subject, has anyone noticed the different format of pflog(4) on
>> NetBSD v.s. OpenBSD. Specifically, for ICMP/TCP/UDP, the type/port is absent
>> from the source/destination address:
>> OpenBSD pflog(4) line:
>> Sep 15 21:47:46.420650 rule 0/(match) block out on vlan40:
>> 18.104.22.168.62343 > 22.214.171.124.80: R 1515499462:1515499462(0) ack
>> 2101925191 win 0
>> NetBSD pflog(4) line:
>> 015133 rule 0/0(match): block in on fxp0: IP 126.96.36.199 > 188.8.131.52:
>> TCP/UDP port = missing
>> This is with: # tcpdump -ttt -e -vvv -i pflog0 -e -n on both.
>> I'll open a PR.
> The tcpdump code (such as print-pflog.c) is different. Maybe updating will
> correct this?
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."