From owner-freebsd-net@FreeBSD.ORG  Thu Oct 20 16:37:54 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 385FC106566C
	for <net@freebsd.org>; Thu, 20 Oct 2011 16:37:54 +0000 (UTC)
	(envelope-from kevin.wilcox@gmail.com)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com
	[209.85.210.44])
	by mx1.freebsd.org (Postfix) with ESMTP id 132CE8FC0A
	for <net@freebsd.org>; Thu, 20 Oct 2011 16:37:53 +0000 (UTC)
Received: by pzk4 with SMTP id 4so16130238pzk.3
	for <net@freebsd.org>; Thu, 20 Oct 2011 09:37:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	bh=xPxUmvP/f5M792byAbcEr5doyvy4PI25gXjLnvMWKC0=;
	b=R9BVDot7O6OHMFOeiF+/na8tiAptc+sdBJeCSYzGOLCELtX7KI+XYJpvgG+1UjK1cd
	P7z8J3f1A333tmHxtVke1zKCpGxlj/Dt+eBZijJZbihQ+0mLbwg6OdiysaQSDdpycY0d
	ZYqLyAfIjnZOtWoWdP0gpNRdu6S4XRjPolCQs=
MIME-Version: 1.0
Received: by 10.68.208.229 with SMTP id mh5mr21197939pbc.124.1319127164568;
	Thu, 20 Oct 2011 09:12:44 -0700 (PDT)
Received: by 10.68.40.199 with HTTP; Thu, 20 Oct 2011 09:12:44 -0700 (PDT)
In-Reply-To: <00C1A678-1654-40D2-9ADD-1857C2ECCA04@neville-neil.com>
References: <00C1A678-1654-40D2-9ADD-1857C2ECCA04@neville-neil.com>
Date: Thu, 20 Oct 2011 12:12:44 -0400
Message-ID: <CAFpgnrNAMELsJ8g9JxfO-MyZA9iaAyGsgsT5VFi204AyozYXhg@mail.gmail.com>
From: Kevin Wilcox <kevin.wilcox@gmail.com>
To: George Neville-Neil <gnn@neville-neil.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: net@freebsd.org
Subject: Re: Patch to enable our tcpdump to handle CARP
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 16:37:54 -0000

On 19 October 2011 16:20, George Neville-Neil <gnn@neville-neil.com> wrote:

> I've been trying to debug CARP problems of late. I noticed that our tcpdu=
mp didn't have CARP
> support. =C2=A0I took and fixed some code from OpenBSD so that our tcpdum=
p can work with
> CARP. =C2=A0Unlike OpenBSD you have to specify -T carp to read carp packe=
ts. =C2=A0In their version
> you specify -T VRRP, because they don't like VRRP. =C2=A0I decided that w=
e should go with
> what most of the industry cares about rather than what OpenBSD cares abou=
t.

Additionally, Daniel Hartmeier posted a significant patch to
freebsd-questions@ for pf+tcpdump earlier this year that added support
for the pfsync device. I've been using it in production on firewalls
with 125k pps average to track NAT translations for a /17 and it's
been of endless utility since pf doesn't offer the translation logging
you see on some commercial devices.

kmw