[Bug 283799] tcpdump (14.2+) endian-swaps uid when parsing pflog data

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 283799] tcpdump (14.2+) endian-swaps uid when parsing pflog data"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 02 Jan 2025 23:28:49 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283799

--- Comment #4 from eborisch+FreeBSD@gmail.com ---
Something like:

pass out log (user) on eth0

in pf.conf should generate cases. Traffic will need to be from someone other
than root to be interesting.

I see things like:

# tcpdump -er /var/log/pflog

[...]
16:48:29.398601 rule 5/0(match) [uid 436469760]: pass out on vtnet0:
machine.name.one.23101 > machine.name.two.ssh: Flags [S], seq 3725723442, win
65535, options [mss 1460, [|tcp]

where that uid should be 1050, and not 436469760.

>>> import socket
>>> socket.ntohl(436469760)
1050

Most of the other fields are from network code, which frequently lives in the
bigendian world. UID and PID are local parameters, so the endian mis-match
isn't that surprising, if not explicitly documented.

-- 
You are receiving this mail because:
You are the assignee for the bug.