On Wed, Nov 19, 2008 at 01:13:32AM +0000, Stuart Henderson wrote: > On 2008/11/19 13:48, Russell Fulton wrote: > > Does anyone have any suggestions as to how we can get data in pf log > > files into pcap files that can be read (and filtered) on other > > systems. > > the packets have a "struct pfloghdr" header as described in pflog(4); > this could be chopped off. I'm not aware of existing software that does > this, but it would be simple to code.
net/tcpreplay includes a utility called 'tcprewrite' that remove this information (or rewrite it with whatever you want). "other systems" may actually understand the pfloghdr data and know how to present it. If they don't, ask for it. The information in there can be very useful. -Ryan
