Log Labels?
Petersen, Mark
MPetersen at gs1us.org
Thu Mar 12 13:13:34 PDT 2009
Great, I would love to try a patch for 7.0. Do you have a patch for wireshark/tshark/mergecap as well by any chance? Have you submitted these patches to OpenBSD people? Any feedback on getting this merged in?
Thanks,
Mark
> -----Original Message-----
> From: N. Ersen SISECI [mailto:siseci at gmail.com]
> Sent: Thursday, March 12, 2009 1:25 AM
> To: Petersen, Mark
> Cc: freebsd-pf at freebsd.org
> Subject: Re: Log Labels?
>
> Hello,
>
> I have been using this patch for a long time. If you apply if_pflog
> patchs to pf and
> print-pflog.c to tcpdump you should see label values in log lines.
>
> If you are interested in this patch i can send you its 7.0 version.
>
> # tcpdump -nttttveli pflog0 -s 1024
> 2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label
> 70:
> (tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6),
> length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct),
> 3376786061:3376786061(0) win 65535 <mss 1460,nop,nop,sackOK>
>
>
> Thanks,
>
> N. Ersen SISECI
> http://www.enderunix.org
>
>
> Petersen, Mark yazmış:
> > Hello,
> >
> > I'm trying to find out if it's possible to do IPF like log-tags with
> pf.
> > I found an interesting patch here -
> > http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html
> > that enables this. It doesn't appear to have made it into pflog
> though.
> >
> > Is there a way to use this feature? I'd much rather be logging a
> label
> > and rule #. I can see if these patches still work with 7 of course.
> > Has anyone tried this?
> >
> > Finally - it appears there are only patches for pf, but if I compile
> > tcpdump with the pf patches, will it work? What about using mergecap
> > with this? If I recompile mergecap/tshark would this work? I know I
> > can just try, but no sense reinventing the wheel if someone else
> spent
> > some time trying to do the same.
> >
> > Thanks,
> > Mark
> >
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> >
> >
More information about the freebsd-pf
mailing list