Date: Thu, 16 Sep 2004 03:54:28 -0000 From: "Michael O. Boev" <mike@tric.tomsk.gov.ru> To: <pf4freebsd@freelists.org> Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers Message-ID: <MOEOKMEIFPGOADALOHONKELGCHAA.mike@tric.tomsk.gov.ru> In-Reply-To: <20031010023625.GC645@kt-is.co.kr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello again! > -----Original Message----- > From: pf4freebsd-bounce@freelists.org > [mailto:pf4freebsd-bounce@freelists.org]On Behalf Of Pyun YongHyeon > Sent: Friday, October 10, 2003 9:36 AM > To: pf4freebsd@freelists.org > Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers ... > > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after > > destination, > > but no number after it. It prints nothing after source address. > > > > gw# pftcpdump -i pflog0 > > pftcpdump: WARNING: pflog0: no IPv4 address assigned > > pftcpdump: listening on pflog0 > > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp] > > 20:30:32.168202 200-171-18-234.speedyterra.com.br > > 1.tric.tomsk.gov.ru: > > [|tcp] (DF) [tos 0x20] > > > > Am I missing something? > > This is a valid tcpdump output. It occurrs when you have short snap > length than that of protocol header. Therefore tcpdump can't analyze > full protocol header due to missing information. > Try to increase snap length of pflogd with '-s' option. > (Default snap length should work for most protocols.) May I guess pftcpdump makes no use of pflogd (being launched with -i pflog0). > If you didn't change default snap length, there may be other bugs > in pftcpdump. In this case, please tell me more detailed information > in order to reproduce on my box. > (rule set, network setup, the procedure taken to generate the packet, > etc.) pftcpdump -s 0 -i pflog0 shows everything fine. This means that default snaplen is really too short for me. Looking through the source, I see that both tcpdump and pftcpdump have th= e default snaplen of 68. tcpdump -s 68 -i xl0 does show port numbers. pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72). 72 seems to be minimum snaplen to read tcp/udp headers. Regards, Mike. > > > -- > > Best wishes, > > [mike@tric.tomsk.gov.ru]. > > > > > > Regards, > Pyun YongHyeon > -- > Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>; > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MOEOKMEIFPGOADALOHONKELGCHAA.mike>