From owner-freebsd-pf@FreeBSD.ORG  Wed Feb 27 12:28:05 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A017D1065671
	for <freebsd-pf@freebsd.org>; Wed, 27 Feb 2008 12:28:05 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 802688FC1E
	for <freebsd-pf@freebsd.org>; Wed, 27 Feb 2008 12:28:05 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m1RBt76Z063107
	for <freebsd-pf@freebsd.org>; Wed, 27 Feb 2008 06:55:07 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m1RBt6U0058941
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-pf@freebsd.org>; Wed, 27 Feb 2008 06:55:06 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <200802271155.m1RBt6U0058941@lava.sentex.ca>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 27 Feb 2008 06:53:03 -0500
To: freebsd-pf@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: default snaplen on tcpdump
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2008 12:28:05 -0000

Is there any chance of changing the default snap length of tcpdump to 
be a few bytes bigger ?  With pf on RELENG_7, the default of 96 
is  too short now.  So doing just a

# tcpdump  -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes
06:50:57.651128 rule 7/0(match): pass in on bge0: 
190.73.138.253.2020 > xx.7.141.12.25:  tcp 28 [bad hdr length 0 - too 
short, < 20]

Going to -s100 seems to be a safe value and avoids the "bad header" errors.

         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike