Re: tcpdump: packet printing is not supported for link type PFLOG

[Guy Harris <guy () alum mit edu>]

On Oct 26, 2014, at 7:55 PM, "Jason Pyeron" <jpyeron () pdinc us> wrote:

> When I './tcpdump  -r -' I get a:
> reading from file -, link-type PFLOG (OpenBSD pflog file)
> tcpdump: packet printing is not supported for link type PFLOG: use -w
>
> I am using tcpdump 4ac7226 and libpcap 625575f.
>
> Did I miss a configure option?

Are you building on an operating system that supports PFLOG as a filter mechanism?

If not, then the option you missed is the "use an operating system that supports PFLOG as a filter mechanism, and that 
provides the headers for PFLOG packets as a standard system include file" option.

I think the only OSes that support those options are OpenBSD and FreeBSD; if you're not building on those OSes, you 
can't read PFLOG files, because the developers of PFLOG apparently found it too difficult either to standardize the 
PFLOG header or to add a version field to it, so that LINKTYPE_PFLOG/DLT_PFLOG can be a standard format in pcap and 
pcap-ng files writable by one operating system and readable by a different operating system, rather than a file whose 
format is OS and OS-version dependent and that therefor can only be read by a program expecting a particular OS 
version's flavor of PFLOG.

(And if you *are* building on those OSes, what you'll get is a version of tcpdump that can read dumps from that 
particular version of the OS, but won't necessarily be able to read dumps from other versions of the same OS or other 
OSes.)

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers