Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Mar 2009 08:24:35 +0200
From:      "N. Ersen SISECI" <siseci@gmail.com>
To:        "Petersen, Mark" <MPetersen@gs1us.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Log Labels?
Message-ID:  <49B8AAA3.7060505@gmail.com>
In-Reply-To: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org>
References:  <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

I have been using this patch for a long time. If you apply if_pflog
patchs to pf and
print-pflog.c to tcpdump you should see label values in log lines.

If you are interested in this patch i can send you its 7.0 version.

# tcpdump -nttttveli pflog0 -s 1024
2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label 70:
(tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6),
length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct),
3376786061:3376786061(0) win 65535 <mss 1460,nop,nop,sackOK>


Thanks,

N. Ersen SISECI
http://www.enderunix.org


Petersen, Mark yazmış:
> Hello,
>
> I'm trying to find out if it's possible to do IPF like log-tags with pf.
> I found an interesting patch here -
> http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html
> that enables this.  It doesn't appear to have made it into pflog though.
>
> Is there a way to use this feature?  I'd much rather be logging a label
> and rule #.  I can see if these patches still work with 7 of course.
> Has anyone tried this?
>
> Finally - it appears there are only patches for pf, but if I compile
> tcpdump with the pf patches, will it work?  What about using mergecap
> with this?  If I recompile mergecap/tshark would this work?  I know I
> can just try, but no sense reinventing the wheel if someone else spent
> some time trying to do the same.
>
> Thanks,
> Mark
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49B8AAA3.7060505>