Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets

[Max Laier <max () love2party net>]

On Tuesday 25 September 2007, Eygene Ryabinkin wrote:
> Guy, good day.
>
> Mon, Sep 24, 2007 at 02:24:34PM -0700, Guy Harris wrote:
> > On Sep 24, 2007, at 11:25 AM, Eygene Ryabinkin wrote:
> > > OpenBSD 4.1 introduced an incompatible change to their pflog device
> > > packet header:
> >
> > ...and didn't introduce a new DLT_ value.
>
> Exactly.

My bad.  I could still do it, though.  Since the new format with old DLT 
is only in FreeBSD-CURRENT there is no real harm in bumping the DLT late.  
This, however, doesn't change things for OpenBSD where the new format 
with the old DLT has been in a release already.  I personally believe 
that it's not worth the effort as long as OpenBSD doesn't adopt a new DLT 
as well.

> > It appears that FreeBSD will be doing the same for 7.0, so we just
> > gave up and said "no pflog dissection except on systems that support
> > pflog, and we only dissect pflog files in the format on that machine
> > - get the definition of pflog packets from the system header file".
>
> Why?  The 'length' value is different for new and old 'struct
> pfloghdr', see
>     http://fxr.watson.org/fxr/source/net/if_pflog.c?v=OPENBSD#L192
> And it is always filled since revision 1.9 of OpenBSD's if_pflog.c,
> see
>    
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.c?annotate=1
> .25 So on the systems that were built after Wed May 14 08:42:00 2003 UTC
> we actually have a way to differentiate between old and new formats.
>
> I suspect (thought this was not tested) that my patch will work for
> if_pflog.c < 1.9, since for these versions m1.len was filled with
> PFLOG_HDRLEN and, if I am correct, this value will be seen by the
> tcpdump, at least it is fed to the bpf_filter() inside the bpf_mtap():
>    
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf.c?rev=1.34&conten
> t-type=text/x-cvsweb-markup.
>
> Sometimes one still wants to decode tcpdump traces coming from the
> other hosts, so it will be great to support it.  Even facing the
> sad fact that new DLT_ value has not beed introduced.
>
> > Max Laier submitted a patch to do that, which is checked into the
> > main and x.9 branches.
>
> Cc'ing him.  Max, what do you think about it?

My plan is to import the new releases with my "fix" to FreeBSD in the next 
few days.  From my experience and feedback from various sources the need 
to look at old pflog dumps is rather small (if not non-existing).

-- 
/"\  Best regards,                      | mlaier () freebsd org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: signature.asc
Description: This is a digitally signed message part.