Subject: Re: pflog on NetBSD
To: David Brownlee <abs@NetBSD.org>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: netbsd-users
Date: 11/03/2006 21:40:00
I vote for raising the default to 96 for v4 and v6 mode rather than trying
to do something absurd like conditional checking on the type of interface.
Thoughts?
~BAS
On Fri, 6 Oct 2006, Brian A. Seklecki wrote:
>
> All:
>
> I opened: bin/34733
>
> Also, I figured something else out while checking the upstream vendor:
>
> http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/interface.h?rev=1.271
>
> I may be the first person to notice/report this because I'm using NetBSD in
> an embedded environment with a highly profiled kernel (IPv6 stripped out and
> lots of mk.conf(5) flags). I was looking at the code and realized the
> default snaplen was a _compile time_ option. See below:
>
> ~BAS
>
> Here's they're doing the 68 vs. 96 for a different reason other than
> pflog(4).
>
> /*
> * The default snapshot length. This value allows most printers to print
> * useful information while keeping the amount of unwanted data down.
> */
> #ifndef INET6
> #define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
> #else
> #define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
> #endif
>
>
>
>
> On Fri, 22 Sep 2006, David Brownlee wrote:
>
>> On Fri, 22 Sep 2006, Michael-John Turner wrote:
>>
>>> On Fri, Sep 22, 2006 at 09:29:38AM -0400, Brian A. Seklecki wrote:
>>>> Perhaps it has something to do with the underlying protocol? Was your
>>>> tcpdump on ethernet? OpenBSD has made the snarf length of 96 hard coded
>>>> into thier in-tree tcpdump src.
>>>
>>> Sounds like a reasonable theory - my loginterface is a pppoe(4) device.
>>>
>>>> Perhaps a note could be installed into the example tcpdump(8) in
>>>> src/dist/pf/share/man/man4/pflog.4 with flag "-s 96".
>>>
>>> Sounds good to me.
>>
>> Would it make sense for NetBSD to default to 96 also?
>>
>> --
>> David/absolute -- www.NetBSD.org: No hype required --
>>
>
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> http://www.spiritual-machines.org/
>
> "...from back in the heady days when "helpdesk" meant nothing, "diskquota"
> meant everything, and lives could be bought and sold for a couple of pages
> of laser printout - and frequently were."
>
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."