> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> stan
> Sent: Monday, September 12, 2005 1:04 PM
> To: OpenBSD general usage list
> Subject: A question about examining pf loging data
>
> I've set up a transparent bridge, with pf in "pass all log" mode to
> capture
> data to/from a particular subnet. I am gathering data about the
traffic
> that passes through this gateway in order to prepare for installing a
> firewall.
>
> I've captured a bit of data as pflog files. Then I've processed these
> files
> with:
>
> tcpdump -n -e -tttt
>
> Which results in data records like this:
>
> 2005-09-08 20:26:40.328379 rule 5/0(match): pass out on fxp0: IP
> 170.85.113.49.3
> 092 > 170.85.107.35.1500: . 1460:2920(1460) ack 1 win 63947
>
> This has most of the data that I need, but it seems to be missing one
> thing
> that I think is important. How can I determine if the traffic is
> TCP/UDP/ICMP etc?
>
If you have ack and window flags, then it is TCP, not UDP.
