Re: [patch] Teach tcpdump to recognize new OpenBSD pflog packets

[Eygene Ryabinkin <rea-tcpdump () codelabs ru>]

Guy, good day.

Mon, Sep 24, 2007 at 02:24:34PM -0700, Guy Harris wrote:
> On Sep 24, 2007, at 11:25 AM, Eygene Ryabinkin wrote:
>
> > OpenBSD 4.1 introduced an incompatible change to their pflog device
> > packet header:
>
> ...and didn't introduce a new DLT_ value.

Exactly.

> It appears that FreeBSD will be doing the same for 7.0, so we just
> gave up and said "no pflog dissection except on systems that support
> pflog, and we only dissect pflog files in the format on that machine -
> get the definition of pflog packets from the system header file".

Why?  The 'length' value is different for new and old 'struct
pfloghdr', see
    http://fxr.watson.org/fxr/source/net/if_pflog.c?v=OPENBSD#L192
And it is always filled since revision 1.9 of OpenBSD's if_pflog.c,
see
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.c?annotate=1.25
So on the systems that were built after Wed May 14 08:42:00 2003 UTC
we actually have a way to differentiate between old and new formats.

I suspect (thought this was not tested) that my patch will work for
if_pflog.c < 1.9, since for these versions m1.len was filled with
PFLOG_HDRLEN and, if I am correct, this value will be seen by the
tcpdump, at least it is fed to the bpf_filter() inside the bpf_mtap():
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf.c?rev=1.34&content-type=text/x-cvsweb-markup.

Sometimes one still wants to decode tcpdump traces coming from the
other hosts, so it will be great to support it.  Even facing the
sad fact that new DLT_ value has not beed introduced.

> Max Laier submitted a patch to do that, which is checked into the main
> and x.9 branches.

Cc'ing him.  Max, what do you think about it?
-- 
Eygene
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.