Can Erkin Acar
Mon, 16 Jan 2006 02:21:05 -0800
On Sun, Jan 15, 2006 at 04:19:10PM -0500, Peter wrote: > > --- "Melameth, Daniel D." <[EMAIL PROTECTED]> wrote: > > > Peter wrote: > > > Question: Why does tcpdump show pf rules when I use the pflog0 > > > interface in combination with the -e switch (link layer)? It's a > > > fantastic feature but it seems like an odd way to arrive at it. > > > > > > rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp 192.168.1.1 > > > > 192.168.2.213 spi 0x00001 > > > > Not only is it a fantastic feature, I'm quite pleased with the design > > and ability to tools I'm already comfortable with to review packet > > logs/dumps. How would you do it differently/better? > > My comment is about the output not being related to the switch used. What > does a matching filter rule have to do with the data link layer? The pflog0 interface is not a physical interface. The 'datalink layer' *is* the pf rule that generated the log. So it really makes sense, and furthermore, it is a nice and clean way of adding this extra information to the bpf packet dumps. Can