Thanks! I will try it!
> -----Original Message-----
> From: Daniel Hartmeier [mailto:daniel@;benzedrine.cx]
> Sent: Friday, November 08, 2002 12:31 PM
> To: Adam Getchell
> Cc: [EMAIL PROTECTED]
> Subject: Re: Logging packet contents
>
>
> On Fri, Nov 08, 2002 at 12:16:39PM -0800, Adam Getchell wrote:
>
> > I'd like to know if there's (a pointer to) an easy way to
> inspect the
> > contents of the logged packets. For example, I want to find
> out the address
> > of people sending the Pop-up spam "Get your university
> diploma here!"
>
> $ tcpdump -nevvvXr /var/log/pflog udp port 135
>
> Nov 01 15:40:25.157497 rule 7/0(match): block in on kue0:
> 211.239.172.33.1046 >
> 62.65.145.30.135: [udp sum ok] udp 724 (ttl 110, id 57767)
> 0000: 4500 02f0 e1a7 0000 6e11 18e5 d3ef ac21 E..��..n..���!
> 0010: 3e41 911e 0416 0087 02dc 9b82 0400 0800 >A.......�......
> 0020: 1000 0000 0000 0000 0000 0000 0000 0000 ................
> 0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ....�.{Z.��.��.�
> 0040: 4fb6 e6fc e16e be00 c13b af4d af0f 664c O����n�.�;�M�.fL
> 0050: 5248 bd03 0000 0000 0100 0000 0000 0000 RH�.............
> 0060: 0000 ffff ffff 8402 0000 0000 0900 0000 ..����..........
> 0070: 0000 0000 0900 0000 5745 4250 4f50 5550 ........WEBPOPUP
> 0080: 0000 0000 0100 0000 0000 0000 0100 0000 ................
> 0090: 0000 0000 4f02 0000 0000 0000 4f02 0000 ....O.......O...
> 00a0: 5520 4e20 4920 5620 4520 5220 5320 4920 U N I V E R S I
> 00b0: 5420 5920 2020 4420 4920 5020 4c20 4f20 T Y D I P L O
> 00c0: 4d20 4120 530d 0a0d 0a4f 6274 6169 6e20 M A S....Obtain
> 00d0: 6120 7072 6f73 7065 726f 7573 2066 7574 a prosperous fut
> 00e0: 7572 652c 206d 6f6e 6579 2065 6172 6e69 ure, money earni
> 00f0: 6e67 2070 6f77 6572 2c0d 0a61 6e64 2074 ng power,..and t
> [...]
>
> Note that the source address is possibly spoofed. Imagine the spammers
> had picked your IP as source for a mass popup spam when you word a
> complaint...
>
> > Also, this method won't work on a transparent bridge unless
> there's a third
> > NIC configured with an IP address, correct?
>
> No, any packet logged with pf ends up in /var/log/pflog, and you can
> tcpdump it with any options described in tcpdump(8). If you're
> interested in the entire packets, see pflogd(8) and increase
> the snaplen
> beyond the default of 96 bytes.
>
> Daniel
>
