Peter wrote: > --- "Melameth, Daniel D." <[EMAIL PROTECTED]> wrote: > > Peter wrote: > > > Question: Why does tcpdump show pf rules when I use the pflog0 > > > interface in combination with the -e switch (link layer)? It's a > > > fantastic feature but it seems like an odd way to arrive at it. > > > > > > rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp > > > 192.168.1.1 > 192.168.2.213 spi 0x00001 > > > > Not only is it a fantastic feature, I'm quite pleased with the > > design and ability to tools I'm already comfortable with to review > > packet logs/dumps. How would you do it differently/better? > > My comment is about the output not being related to the switch used. > What does a matching filter rule have to do with the data link layer?
Guess the devs can comment on that... FWIW, I see this as the "layer two" equivalent of pflog and find this far more useful, in this capacity, than MAC addresses.
