On 2009/01/10 23:11, Helmut Schneider wrote: > Stuart Henderson <[email protected]> wrote: >> On 2009/01/10 22:11, Helmut Schneider wrote: >>> >>> I'm running pf on an IPv6 gateway. I use 'tcpdump -n -e -ttt -r >>> /var/log/pflog' to see the pf traffic: >>> >>> Jan 10 21:49:02.181784 rule 36/(match) pass in on xl0: >>> 192.168.0.1.55206 > 192.168.0.2.161: GetRequest(9)[|snmp] >>> Jan 10 21:49:05.223501 rule 150/(match) pass out on bge0: >>> 2001:db8::1.63602 > 2001:db8::2.53:[|domain] [flowlabel 0xd2238] >>> >>> I now would like to see live action so I thought I analogous can use >>> 'tcpdump -n -e -ttt -i pflog0' which however prints a different >>> output: >>> >>> Jan 10 21:52:45.355937 rule 36/(match) pass in on xl0: >>> 192.168.0.1.49215 > 192.168.0.2.161: [|snmp] >>> Jan 10 21:52:45.821927 rule 150/(match) pass out on bge0: [|ip6] >>> >>> What do I have to do to see the detailed live output? I at least want >>> to see a detailed IPv6 output. >> >> Increase the snaplen (-s). > > What is the desired snaplen? Or in other words are there any caveats > to use e.g. 192 (2xdefault)?
it is down to your requirements. if you want to read further into the application data (either as -v or -vv decodes, and/or -X hex/ascii dump), you'll need more than if you just want to look at the src/dest/port. > Does 'tcpdump -r' calculate the best snaplen before outputting then? tcpdump -r shows whatever is in the file. by default pflogd uses 116, see the description of -s in pflogd(8).
