tcpdump mailing list archives
Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets
From: Eygene Ryabinkin <rea-tcpdump () codelabs ru>
Date: Tue, 25 Sep 2007 10:39:31 +0400
Guy, good day. Mon, Sep 24, 2007 at 02:24:34PM -0700, Guy Harris wrote:
On Sep 24, 2007, at 11:25 AM, Eygene Ryabinkin wrote:OpenBSD 4.1 introduced an incompatible change to their pflog device packet header:...and didn't introduce a new DLT_ value.
Exactly.
It appears that FreeBSD will be doing the same for 7.0, so we just gave up and said "no pflog dissection except on systems that support pflog, and we only dissect pflog files in the format on that machine - get the definition of pflog packets from the system header file".
Why? The 'length' value is different for new and old 'struct pfloghdr', see http://fxr.watson.org/fxr/source/net/if_pflog.c?v=OPENBSD#L192 And it is always filled since revision 1.9 of OpenBSD's if_pflog.c, see http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.c?annotate=1.25 So on the systems that were built after Wed May 14 08:42:00 2003 UTC we actually have a way to differentiate between old and new formats. I suspect (thought this was not tested) that my patch will work for if_pflog.c < 1.9, since for these versions m1.len was filled with PFLOG_HDRLEN and, if I am correct, this value will be seen by the tcpdump, at least it is fed to the bpf_filter() inside the bpf_mtap(): http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf.c?rev=1.34&content-type=text/x-cvsweb-markup. Sometimes one still wants to decode tcpdump traces coming from the other hosts, so it will be great to support it. Even facing the sad fact that new DLT_ value has not beed introduced.
Max Laier submitted a patch to do that, which is checked into the main and x.9 branches.
Cc'ing him. Max, what do you think about it? -- Eygene - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Guy Harris (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Max Laier (Sep 27)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Gert Doering (Sep 28)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Eygene Ryabinkin (Sep 24)
- Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets Guy Harris (Sep 24)