Date: Thu, 16 Sep 2004 03:54:38 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers Message-ID: <20031011023617.GA4789@kt-is.co.kr> In-Reply-To: <MOEOKMEIFPGOADALOHONKELGCHAA.mike@tric.tomsk.gov.ru> References: <20031010023625.GC645@kt-is.co.kr> <MOEOKMEIFPGOADALOHONKELGCHAA.mike@tric.tomsk.gov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 10, 2003 at 09:28:09PM +0700, Michael O. Boev wrote: > Hello again! >=20 > > -----Original Message----- > > From: pf4freebsd-bounce@freelists.org > > [mailto:pf4freebsd-bounce@freelists.org]On Behalf Of Pyun YongHyeon > > Sent: Friday, October 10, 2003 9:36 AM > > To: pf4freebsd@freelists.org > > Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers > ... > > > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after > > > destination, > > > but no number after it. It prints nothing after source address. > > > > > > gw# pftcpdump -i pflog0 > > > pftcpdump: WARNING: pflog0: no IPv4 address assigned > > > pftcpdump: listening on pflog0 > > > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp] > > > 20:30:32.168202 200-171-18-234.speedyterra.com.br > > > 1.tric.tomsk.gov.ru: > > > [|tcp] (DF) [tos 0x20] > > > > > > Am I missing something? > > > > This is a valid tcpdump output. It occurrs when you have short snap > > length than that of protocol header. Therefore tcpdump can't analyze > > full protocol header due to missing information. > > Try to increase snap length of pflogd with '-s' option. > > (Default snap length should work for most protocols.) >=20 > May I guess pftcpdump makes no use of pflogd (being launched with -i > pflog0). >=20 Yes, you are right. pflogd is not involved when you use interface name directly. > > If you didn't change default snap length, there may be other bugs > > in pftcpdump. In this case, please tell me more detailed information > > in order to reproduce on my box. > > (rule set, network setup, the procedure taken to generate the packet= , > > etc.) >=20 > pftcpdump -s 0 -i pflog0 shows everything fine. This means that defaul= t > snaplen is really too short for me. > Looking through the source, I see that both tcpdump and pftcpdump have= the > default snaplen of 68. > tcpdump -s 68 -i xl0 does show port numbers. > pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72)= . > 72 seems to be minimum snaplen to read tcp/udp headers. >=20 Yes. This is pftcpdump's problem. You may still need snaplen 92 or 96 if you want to see the same output of 'tcpdump -s 68'.(i.e you may want to see TCP option field.) Of course, if you need a just port number, you can decrease the snaplen as low as 72 or 76. Anyway, I'll commit the fix. Thank you very much. Regards, Pyun YongHyeon --=20 Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031011023617.GA4789>