Date: Thu, 02 Jan 2025 23:28:49 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 283799] tcpdump (14.2+) endian-swaps uid when parsing pflog data Message-ID: <bug-283799-227-bq6gaQWu9j@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-283799-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283799 --- Comment #4 from eborisch+FreeBSD@gmail.com --- Something like: pass out log (user) on eth0 in pf.conf should generate cases. Traffic will need to be from someone other than root to be interesting. I see things like: # tcpdump -er /var/log/pflog [...] 16:48:29.398601 rule 5/0(match) [uid 436469760]: pass out on vtnet0: machine.name.one.23101 > machine.name.two.ssh: Flags [S], seq 3725723442, win 65535, options [mss 1460, [|tcp] where that uid should be 1050, and not 436469760. >>> import socket >>> socket.ntohl(436469760) 1050 Most of the other fields are from network code, which frequently lives in the bigendian world. UID and PID are local parameters, so the endian mis-match isn't that surprising, if not explicitly documented. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283799-227-bq6gaQWu9j>