From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 16 03:54:28 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 674)
	id 26D0716A4D0; Thu, 16 Sep 2004 03:54:28 +0000 (GMT)
Delivered-To: mlaier@vampire.homelinux.org
Received: (qmail 11651 invoked by uid 1005); 10 Oct 2003 14:31:14 -0000
Delivered-To: max@vampire.homelinux.org
Received: (qmail 11648 invoked from network); 10 Oct 2003 14:31:14 -0000
Received: from moutng.kundenserver.de (212.227.126.189)
  by pd9530134.dip.t-dialin.net with SMTP; 10 Oct 2003 14:31:14 -0000
Received: from [212.227.126.140] (helo=mxng13.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1A7yFp-0002Gz-00
	for max@vampire.homelinux.org; Fri, 10 Oct 2003 16:28:29 +0200
Received: from [206.53.239.180] (helo=turing.freelists.org)
	by mxng13.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1A7yFn-0004Gk-00
	for max@love2party.net; Fri, 10 Oct 2003 16:28:27 +0200
Received: from turing (localhost [127.0.0.1])ESMTP
	id 9FA69390F6C; Fri, 10 Oct 2003 09:22:21 -0500 (EST)
Received: with ECARTIS (v1.0.0; list pf4freebsd);
	Fri, 10 Oct 2003 09:22:15 -0500 (EST)
X-Original-To: pf4freebsd@freelists.org
Delivered-To: pf4freebsd@freelists.org
Received: from isrv.tric.tomsk.gov.ru (isrv.tric.tomsk.gov.ru
	[213.183.106.13])ESMTP id 341E7390F4A
	for <pf4freebsd@freelists.org>; Fri, 10 Oct 2003 09:22:14 -0500 (EST)
Received: from admin (admin.sobes [192.168.8.2])h9AES9Pp006798
	for <pf4freebsd@freelists.org>;
	Fri, 10 Oct 2003 21:28:09 +0700 (NOVST)
	(envelope-from mike@tric.tomsk.gov.ru)
From: "Michael O. Boev" <mike@tric.tomsk.gov.ru>
To: <pf4freebsd@freelists.org>
Message-ID: <MOEOKMEIFPGOADALOHONKELGCHAA.mike@tric.tomsk.gov.ru>
MIME-Version: 1.0
Content-type: text/plain;
  charset=us-ascii
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <20031010023625.GC645@kt-is.co.kr>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
X-Virus-Scanned: by amavisd-new
X-archive-position: 193
X-ecartis-version: Ecartis v1.0.0
Sender: pf4freebsd-bounce@freelists.org
Errors-To: pf4freebsd-bounce@freelists.org
X-original-sender: mike@tric.tomsk.gov.ru
Precedence: normal
X-list: pf4freebsd
Content-Transfer-Encoding: quoted-printable
X-UID: 308
X-Length: 4575
X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000
Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: pf4freebsd@freelists.org
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
Date: Thu, 16 Sep 2004 03:54:28 -0000
X-Original-Date: Fri, 10 Oct 2003 21:28:09 +0700
X-List-Received-Date: Thu, 16 Sep 2004 03:54:28 -0000

Hello again!

> -----Original Message-----
> From: pf4freebsd-bounce@freelists.org
> [mailto:pf4freebsd-bounce@freelists.org]On Behalf Of Pyun YongHyeon
> Sent: Friday, October 10, 2003 9:36 AM
> To: pf4freebsd@freelists.org
> Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers
...
>  > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after
>  > destination,
>  > but no number after it. It prints nothing after source address.
>  >
>  > gw# pftcpdump -i pflog0
>  > pftcpdump: WARNING: pflog0: no IPv4 address assigned
>  > pftcpdump: listening on pflog0
>  > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp]
>  > 20:30:32.168202 200-171-18-234.speedyterra.com.br >
> 1.tric.tomsk.gov.ru:
>  > [|tcp] (DF) [tos 0x20]
>  >
>  > Am I missing something?
>
> This is a valid tcpdump output. It occurrs when you have short snap
> length than that of protocol header. Therefore tcpdump can't analyze
> full protocol header due to missing information.
> Try to increase snap length of pflogd with '-s' option.
> (Default snap length should work for most protocols.)

May I guess pftcpdump makes no use of pflogd (being launched with -i
pflog0).

> If you didn't change default snap length, there may be other bugs
> in pftcpdump. In this case, please tell me more detailed information
> in order to reproduce on my box.
> (rule set, network setup, the procedure taken to generate the packet,
> etc.)

pftcpdump -s 0 -i pflog0 shows everything fine. This means that default
snaplen is really too short for me.
Looking through the source, I see that both tcpdump and pftcpdump have th=
e
default snaplen of 68.
tcpdump -s 68 -i xl0 does show port numbers.
pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72).
72 seems to be minimum snaplen to read tcp/udp headers.

Regards, Mike.
>
>  > --
>  > Best wishes,
>  > [mike@tric.tomsk.gov.ru].
>  >
>  >
>
> Regards,
> Pyun YongHyeon
> --
> Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
>
>