Date: Thu, 12 Mar 2009 16:13:30 -0400 From: "Petersen, Mark" <MPetersen@gs1us.org> To: "N. Ersen SISECI" <siseci@gmail.com> Cc: freebsd-pf@freebsd.org Subject: RE: Log Labels? Message-ID: <54B7F7DBCA12D94CA3FE17B68F1461A705EA05A4@LVNJEVS205.UCCORG.org> In-Reply-To: <49B8AAA3.7060505@gmail.com> References: <54B7F7DBCA12D94CA3FE17B68F1461A705E5B993@LVNJEVS205.UCCORG.org> <49B8AAA3.7060505@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Great, I would love to try a patch for 7.0. Do you have a patch for wireshark/tshark/mergecap as well by any chance? Have you submitted these patches to OpenBSD people? Any feedback on getting this merged in? Thanks, Mark > -----Original Message----- > From: N. Ersen SISECI [mailto:siseci@gmail.com] > Sent: Thursday, March 12, 2009 1:25 AM > To: Petersen, Mark > Cc: freebsd-pf@freebsd.org > Subject: Re: Log Labels? > > Hello, > > I have been using this patch for a long time. If you apply if_pflog > patchs to pf and > print-pflog.c to tcpdump you should see label values in log lines. > > If you are interested in this patch i can send you its 7.0 version. > > # tcpdump -nttttveli pflog0 -s 1024 > 2009-03-12 08:23:22.206866 rule 2336/0(match): pass in on em0: label > 70: > (tos 0x0, ttl 128, id 1054, offset 0, flags [DF], proto: TCP (6), > length: 48) 192.168.6.2.4252 > 1.2.3.4.443: S, cksum 0x1480 (correct), > 3376786061:3376786061(0) win 65535 <mss 1460,nop,nop,sackOK> > > > Thanks, > > N. Ersen SISECI > http://www.enderunix.org > > > Petersen, Mark yazmış: > > Hello, > > > > I'm trying to find out if it's possible to do IPF like log-tags with > pf. > > I found an interesting patch here - > > http://osdir.com/ml/os.freebsd.devel.pf4freebsd/2006-06/msg00062.html > > that enables this. It doesn't appear to have made it into pflog > though. > > > > Is there a way to use this feature? I'd much rather be logging a > label > > and rule #. I can see if these patches still work with 7 of course. > > Has anyone tried this? > > > > Finally - it appears there are only patches for pf, but if I compile > > tcpdump with the pf patches, will it work? What about using mergecap > > with this? If I recompile mergecap/tshark would this work? I know I > > can just try, but no sense reinventing the wheel if someone else > spent > > some time trying to do the same. > > > > Thanks, > > Mark > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54B7F7DBCA12D94CA3FE17B68F1461A705EA05A4>