On Mon, Mar 27, 2006 at 12:43:35PM +0200, Luca Losio wrote: > But probably is a pcap related problem, pcap must save the payload > too.....isn't it?
No, the pcap reader (i.e. pflogd, tcpdump, or your own program) tells the kernel how much payload it wants through the snaplen parameter. If you run pflogd with -s 96, there won't be any payload written to /var. If you write your own logger, you'll have to read up on snaplen in pcap(3). Daniel
