From owner-freebsd-pf@FreeBSD.ORG Fri May 2 02:45:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94EF6106564A for ; Fri, 2 May 2008 02:45:16 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: from scud.webtrickery.com (scud.webtrickery.com [212.74.113.185]) by mx1.freebsd.org (Postfix) with ESMTP id 5EB498FC13 for ; Fri, 2 May 2008 02:45:16 +0000 (UTC) (envelope-from holborn-pf@real-life.tm) Received: (user holborn) by scud.webtrickery.com (Exim 4.66 #1 FreeBSD) with LOCAL id 1JrlGt-0004LW-Hf for ; Fri, 02 May 2008 03:45:15 +0100 Date: Fri, 2 May 2008 03:45:15 +0100 From: Drav Sloan To: freebsd-pf@freebsd.org Message-ID: <20080502024515.GC70377@real-life.tm> References: <20080502020537.GA70377@real-life.tm> <20080502023222.GC25833@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20080502023222.GC25833@verio.net> Organisation: Bongmasters Inc User-Agent: Mutt/1.5.14 (2007-02-12) Subject: Re: a buildworld yeilds tcpdump oddness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2008 02:45:16 -0000 David DeSimone wrote: > When you see the [|xxx] syntax in tcpdump, that is its way of telling > you that the packet you captured is truncated, and it cannot show you > more information unless you capture a longer packet. >=20 > With recent changes to PF, the default capture size (68 bytes as seen > above) is insufficient. Try adding "-s128" to capture more of the > packets and you should see an improvement. Et volia! Been using tcpdump for years, never knew about that one!=20 Cheers Dave, (and appologies for multiple post, I thought the first one would of been rejected given it's return address...) Regards Drav.