[pf4freebsd] Re: [patch] NOINET6 ; port numbers
Michael O. Boev
mike at tric.tomsk.gov.ru
Wed Sep 15 20:54:28 PDT 2004
Hello again!
> -----Original Message-----
> From: pf4freebsd-bounce at freelists.org
> [mailto:pf4freebsd-bounce at freelists.org]On Behalf Of Pyun YongHyeon
> Sent: Friday, October 10, 2003 9:36 AM
> To: pf4freebsd at freelists.org
> Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers
...
> > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after
> > destination,
> > but no number after it. It prints nothing after source address.
> >
> > gw# pftcpdump -i pflog0
> > pftcpdump: WARNING: pflog0: no IPv4 address assigned
> > pftcpdump: listening on pflog0
> > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp]
> > 20:30:32.168202 200-171-18-234.speedyterra.com.br >
> 1.tric.tomsk.gov.ru:
> > [|tcp] (DF) [tos 0x20]
> >
> > Am I missing something?
>
> This is a valid tcpdump output. It occurrs when you have short snap
> length than that of protocol header. Therefore tcpdump can't analyze
> full protocol header due to missing information.
> Try to increase snap length of pflogd with '-s' option.
> (Default snap length should work for most protocols.)
May I guess pftcpdump makes no use of pflogd (being launched with -i
pflog0).
> If you didn't change default snap length, there may be other bugs
> in pftcpdump. In this case, please tell me more detailed information
> in order to reproduce on my box.
> (rule set, network setup, the procedure taken to generate the packet,
> etc.)
pftcpdump -s 0 -i pflog0 shows everything fine. This means that default
snaplen is really too short for me.
Looking through the source, I see that both tcpdump and pftcpdump have the
default snaplen of 68.
tcpdump -s 68 -i xl0 does show port numbers.
pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72).
72 seems to be minimum snaplen to read tcp/udp headers.
Regards, Mike.
>
> > --
> > Best wishes,
> > [mike at tric.tomsk.gov.ru].
> >
> >
>
> Regards,
> Pyun YongHyeon
> --
> Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
>
>
More information about the freebsd-pf
mailing list