Subject: Re: pflog on NetBSD
To: Michael-John Turner <firstname.lastname@example.org>
From: Brian A. Seklecki <email@example.com>
Date: 09/22/2006 07:35:15
Found it. NetBSD defaults to snaplen of 69. OpenBSD defaults to 96.
96 is required to see all of the pflog details:
-s Snarf snaplen bytes of data from each packet rather than
default of 68 (with SunOS's NIT, the minimum is actually 96).
68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate
protocol information from name server and NFS packets (see
Analyze at most the first snaplen bytes of data from each pack-
et rather than the default of 96. 96 bytes is adequate for IP,
ICMP, TCP, and UDP, but may truncate protocol information from
name server and NFS packets (see below). Packets truncated be-
cause of a limited snaplen are indicated in the output with
``[|proto]'', where proto is the name of the protocol level at
which the truncation has occurred.
On Fri, 2006-09-22 at 03:45, Michael-John Turner wrote:
> On Thu, Sep 21, 2006 at 06:25:40PM -0400, Brian A. Seklecki wrote:
> > Interesting. I was entertaining the idea tha tit may be a configuration
> > issue. Your pf.conf(5) has a 'block log all' near the beginning?
> Yep, it does. I have the following
> set loginterface $ext_if
> block log all
> Where $ext_if is my external interface (in the log sample I pasted,
> pppoe0). I was running tcpdump with the same options as you, BTW.
> > There is an issue of an "old pflog format" v.s. the current one, but I
> > think we can rule that out.
> I'm guessing so. My feeling is that it's possibly related to lkm vs.
> compiled in (my pf support is compiled in), but that's a wild hunch.