On Fri, 22 Sep 2006, Brian A. Seklecki wrote:


Michael:

Perhaps it has something to do with the underlying protocol?  Was your 
tcpdump on ethernet?   OpenBSD has made the snarf length of 96 hard coded 
into thier in-tree tcpdump src.

> Found it.  NetBSD defaults to snaplen of 68.  OpenBSD defaults to 96.
> 96 is required to see all of the pflog details:
>

Perhaps a note could be installed into the example tcpdump(8) in 
src/dist/pf/share/man/man4/pflog.4 with flag "-s 96".

~BAS

>  -s     Snarf  snaplen  bytes  of  data from each packet rather than
> the
>              default of 68 (with SunOS's NIT, the minimum  is  actually  96).
>              68  bytes is adequate for IP, ICMP, TCP and UDP but may truncate
>              protocol information from  name  server  and  NFS  packets  (see
>              below).
>
>     -s snaplen
>               Analyze at most the first snaplen bytes of data from each pack-
>               et rather than the default of 96.  96 bytes is adequate for IP,
>               ICMP, TCP, and UDP, but may truncate protocol information from
>               name server and NFS packets (see below).  Packets truncated be-
>               cause of a limited snaplen are indicated in the output with
>               ``[|proto]'', where proto is the name of the protocol level at
>               which the truncation has occurred.