Many thanks for your time, patience and explanation.
On 11/14/08, Can Erkin Acar <[EMAIL PROTECTED]> wrote:
> soko.tica Wrote:
>> Hello, list
>>
>> When I tried to see pf log of my recently installed OpenBSD 4.4
>> desktop box, I've got the message that snaplen has been raised from 96
>> to 116, even when I did give it a try with -s 96.
>
> That is normal. The snaplen is only used for listening on an interface.
> When reading a capture file, tcpdump uses the snaplen recorded in the
> file, regardless of the snaplen setting.
>
> 116 is what pflogd(8) uses for recording pflog traffic. Since pflog
> interface headers are bigger than ethernet headers, 116 is the minimum
> you can use that can reliably capture all pflog interface headers plus
> IP and TCP/UDP headers.
>
>> $ sudo tcpdump -n -e -ttt -r /var/log/pflog -s 96
>> Password:
>> tcpdump: WARNING: snaplen raised from 96 to 116
>>
>> Any thoughts how to reduce it to examine the logs? Aside, could that
>> be a symptom of a break-in?
>
> You can not, and even if you did, you would be truncating TCP/UDP
> headers so the information you see would be incomplete. Where did 96
> come from anyway? Some obscure policy written for ethernet interfaces?
>
> Now, if somebody broke into your system, they would want to disable
> logging, or reduce the amount logged, not increase it.
>
> Can
