* Theo de Raadt <[email protected]> [2010-09-21 02:36]: > > On 2010/09/20 11:10, Henning Brauer wrote: > > > oh and when the snaplen is too small i > > > don't do the rewrite and pass out the packet unmodified... not sure > > > what else we could do but dropping, which would be inconsistent with > > > other pcap stuff. > > > > oh that's wierd indeed. would it be totally insane to print both the > > natted and original addresses? then it would be clear that it's been > > truncated. > > you mean a complete protocol break for pflog?
actually, the pflog header now has space for an extra address pair (needed kernel side anyway). the idea is indeed to pass out the original addresses in there and make tcpdump print them, too. and this is not a protocol break, thanks to canacars awesome work in pcap. > naw, you can do this with henning's new stuff. log the packet twice. sssh, that doesn't work that way yet, that comes after this diff is in :) -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
