Subject: Re: pflog on NetBSD
To: Michael-John Turner <email@example.com>
From: Brian A. Seklecki <firstname.lastname@example.org>
Date: 09/22/2006 09:29:38
On Fri, 22 Sep 2006, Brian A. Seklecki wrote:
Perhaps it has something to do with the underlying protocol? Was your
tcpdump on ethernet? OpenBSD has made the snarf length of 96 hard coded
into thier in-tree tcpdump src.
> Found it. NetBSD defaults to snaplen of 68. OpenBSD defaults to 96.
> 96 is required to see all of the pflog details:
Perhaps a note could be installed into the example tcpdump(8) in
src/dist/pf/share/man/man4/pflog.4 with flag "-s 96".
> -s Snarf snaplen bytes of data from each packet rather than
> default of 68 (with SunOS's NIT, the minimum is actually 96).
> 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate
> protocol information from name server and NFS packets (see
> -s snaplen
> Analyze at most the first snaplen bytes of data from each pack-
> et rather than the default of 96. 96 bytes is adequate for IP,
> ICMP, TCP, and UDP, but may truncate protocol information from
> name server and NFS packets (see below). Packets truncated be-
> cause of a limited snaplen are indicated in the output with
> ``[|proto]'', where proto is the name of the protocol level at
> which the truncation has occurred.