Re: Small configure diff to use pflog header from

[Guy Harris <guy () alum mit edu>]

Max Laier wrote:

> the attached makes libpcap and tcpdump use pfvar.h/if_pflog.h from the 
> host system (if available) - which is what most people will want[*].

What most people want, I think, is to be able to capture on the pflog 
interface and read pflog files, regardless of how that happens; if that 
can be done without using the host system's if_pflog.h, they probably 
won't care.

If the DLT_ value for pflog files were changed every time the pflog 
header was changed, that could be done.  Unfortunately, that hasn't 
happened (at least one OpenBSD change doesn't appear to have been 
accompanied by a DLT_ value change), so, at least for formats used in 
the past, that can't be fixed.

Given that, unless the various systems supporting pflog interfaces are 
willing to agree to have, in the future, different DLT_ values for 
different pflog headers (which would probably mean introducing new DLT_ 
values for all systems, so we can start afresh), my inclination would be 
to completely omit support for pflog files on systems that don't have a 
<net/if_pflog.h> header.  (Unfortunately, we can't handle the case of a 
pflog file from, for example, OpenBSD 3.4 through 3.7 being read on 
OpenBSD 3.8 through 4.1 - the header format changed, but the DLT_ value 
didn't - so the only way to detect that is to see that tcpdump etc. just 
show junk.)

As such, I'd be willing to check the change in - if it were modified to 
completely remove DLT_PFLOG support if there is no <net/if_pflog.h> 
header, as a change to make it handle only headers for the OS and 
version on which it's built would imply no support if a given OS+version 
doesn't *have* pflog.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.