Can Erkin Acar
Mon, 16 Jan 2006 03:06:51 -0800
On Sun, Jan 15, 2006 at 05:43:49PM -0500, Melameth, Daniel D. wrote: > Peter wrote: > > --- "Melameth, Daniel D." <[EMAIL PROTECTED]> wrote: > > > Peter wrote: > > > > Question: Why does tcpdump show pf rules when I use the pflog0 > > > > interface in combination with the -e switch (link layer)? It's a > > > > fantastic feature but it seems like an odd way to arrive at it. > > > > > > > > rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp > > > > 192.168.1.1 > 192.168.2.213 spi 0x00001 > > > > > > Not only is it a fantastic feature, I'm quite pleased with the > > > design and ability to tools I'm already comfortable with to review > > > packet logs/dumps. How would you do it differently/better? > > > > My comment is about the output not being related to the switch used. > > What does a matching filter rule have to do with the data link layer? > > Guess the devs can comment on that... FWIW, I see this as the "layer > two" equivalent of pflog and find this far more useful, in this > capacity, than MAC addresses. Also note that pf only does IP filtering, and does not even have access to the ethernet header (MAC addresses etc.) of the packets.