[pf4freebsd] Re: [patch] NOINET6 ; port numbers
Pyun YongHyeon
yongari at kt-is.co.kr
Wed Sep 15 20:54:38 PDT 2004
On Fri, Oct 10, 2003 at 09:28:09PM +0700, Michael O. Boev wrote:
> Hello again!
>
> > -----Original Message-----
> > From: pf4freebsd-bounce at freelists.org
> > [mailto:pf4freebsd-bounce at freelists.org]On Behalf Of Pyun YongHyeon
> > Sent: Friday, October 10, 2003 9:36 AM
> > To: pf4freebsd at freelists.org
> > Subject: [pf4freebsd] Re: [patch] NOINET6 ; port numbers
> ...
> > > P.S. pftcpdump doesn't show tcp/udp ports. It prints colons after
> > > destination,
> > > but no number after it. It prints nothing after source address.
> > >
> > > gw# pftcpdump -i pflog0
> > > pftcpdump: WARNING: pflog0: no IPv4 address assigned
> > > pftcpdump: listening on pflog0
> > > 20:30:20.670224 213.183.101.200 > 213.183.101.207: [|udp]
> > > 20:30:32.168202 200-171-18-234.speedyterra.com.br >
> > 1.tric.tomsk.gov.ru:
> > > [|tcp] (DF) [tos 0x20]
> > >
> > > Am I missing something?
> >
> > This is a valid tcpdump output. It occurrs when you have short snap
> > length than that of protocol header. Therefore tcpdump can't analyze
> > full protocol header due to missing information.
> > Try to increase snap length of pflogd with '-s' option.
> > (Default snap length should work for most protocols.)
>
> May I guess pftcpdump makes no use of pflogd (being launched with -i
> pflog0).
>
Yes, you are right. pflogd is not involved when you use interface
name directly.
> > If you didn't change default snap length, there may be other bugs
> > in pftcpdump. In this case, please tell me more detailed information
> > in order to reproduce on my box.
> > (rule set, network setup, the procedure taken to generate the packet,
> > etc.)
>
> pftcpdump -s 0 -i pflog0 shows everything fine. This means that default
> snaplen is really too short for me.
> Looking through the source, I see that both tcpdump and pftcpdump have the
> default snaplen of 68.
> tcpdump -s 68 -i xl0 does show port numbers.
> pftcpdump -s 68 -i pflog0 does not. (but starts showing them at -s 72).
> 72 seems to be minimum snaplen to read tcp/udp headers.
>
Yes. This is pftcpdump's problem. You may still need snaplen 92 or
96 if you want to see the same output of 'tcpdump -s 68'.(i.e you
may want to see TCP option field.)
Of course, if you need a just port number, you can decrease the
snaplen as low as 72 or 76. Anyway, I'll commit the fix.
Thank you very much.
Regards,
Pyun YongHyeon
--
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
More information about the freebsd-pf
mailing list