From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:54:38 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 31CE816A4CF; Thu, 16 Sep 2004 03:54:38 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 42811 invoked by uid 1005); 11 Oct 2003 02:39:23 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 42808 invoked from network); 11 Oct 2003 02:39:23 -0000 Received: from moutng.kundenserver.de (212.227.126.177) by p50839bc1.dip.t-dialin.net with SMTP; 11 Oct 2003 02:39:23 -0000 Received: from [212.227.126.146] (helo=mxng03.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1A89cV-00068Z-00 for max@vampire.homelinux.org; Sat, 11 Oct 2003 04:36:39 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng03.kundenserver.de with esmtp (Exim 3.35 #1) id 1A89cU-0005Vt-00 for max@love2party.net; Sat, 11 Oct 2003 04:36:38 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id B7B6C390B46; Fri, 10 Oct 2003 21:30:28 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Fri, 10 Oct 2003 21:30:22 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) ESMTP id 4058E390AC5 for ; Fri, 10 Oct 2003 21:30:21 -0500 (EST) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id h9B2Zr5G045148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sat, 11 Oct 2003 11:35:53 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.9/8.12.9) with ESMTP id h9B2aH9t006321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 11 Oct 2003 11:36:18 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.9/8.12.9/Submit) id h9B2aH7L006320 for pf4freebsd@freelists.org; Sat, 11 Oct 2003 11:36:17 +0900 (KST) (envelope-from yongari@kt-is.co.kr) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20031011023617.GA4789@kt-is.co.kr> References: <20031010023625.GC645@kt-is.co.kr> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) X-archive-position: 195 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-UID: 310 X-Length: 5647 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:54:38 -0000 X-Original-Date: Sat, 11 Oct 2003 11:36:17 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:54:38 -0000 On Fri, Oct 10, 2003 at 09:28:09PM +0700, Michael O. Boev wrote: > Hello again! >=20 > > -----Original Message----- > > From: pf4freebsd-bounce@freelists.org > > [mailto:pf4freebsd-bounce@freelists.org]On Behalf Of Pyun YongHyeon > > Sent: Friday, October 10, 2003 9:36 AM > > To: pf4freebsd@freelists.org > > Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers > ... > > > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after > > > destination, > > > but no number after it. It prints nothing after source address. > > > > > > gw# pftcpdump -i pflog0 > > > pftcpdump: WARNING: pflog0: no IPv4 address assigned > > > pftcpdump: listening on pflog0 > > > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp] > > > 20:30:32.168202 200-171-18-234.speedyterra.com.br > > > 1.tric.tomsk.gov.ru: > > > [|tcp] (DF) [tos 0x20] > > > > > > Am I missing something? > > > > This is a valid tcpdump output. It occurrs when you have short snap > > length than that of protocol header. Therefore tcpdump can't analyze > > full protocol header due to missing information. > > Try to increase snap length of pflogd with '-s' option. > > (Default snap length should work for most protocols.) >=20 > May I guess pftcpdump makes no use of pflogd (being launched with -i > pflog0). >=20 Yes, you are right. pflogd is not involved when you use interface name directly. > > If you didn't change default snap length, there may be other bugs > > in pftcpdump. In this case, please tell me more detailed information > > in order to reproduce on my box. > > (rule set, network setup, the procedure taken to generate the packet= , > > etc.) >=20 > pftcpdump -s 0 -i pflog0 shows everything fine. This means that defaul= t > snaplen is really too short for me. > Looking through the source, I see that both tcpdump and pftcpdump have= the > default snaplen of 68. > tcpdump -s 68 -i xl0 does show port numbers. > pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72)= . > 72 seems to be minimum snaplen to read tcp/udp headers. >=20 Yes. This is pftcpdump's problem. You may still need snaplen 92 or 96 if you want to see the same output of 'tcpdump -s 68'.(i.e you may want to see TCP option field.) Of course, if you need a just port number, you can decrease the snaplen as low as 72 or 76. Anyway, I'll commit the fix. Thank you very much. Regards, Pyun YongHyeon --=20 Pyun YongHyeon