meaning of pflog / tcpdump output

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

meaning of pflog / tcpdump output

julf
Hi!

Another really stupid question - is the full output format
of tcpdump when dumping the pflog0 device documented somewhere?
I am getting a fair bit of log lines that are shown as
"rule def/(short)", and I can't find anything explaining
the meaning of things like "(short)" - the tcpdump man
page only lists "short" as one of the possible values,
without explaining what it means.

        Julf

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

matteo filippetto
> Another really stupid question - is the full output format
> of tcpdump when dumping the pflog0 device documented somewhere?
> I am getting a fair bit of log lines that are shown as
> "rule def/(short)", and I can't find anything explaining
> the meaning of things like "(short)" - the tcpdump man
> page only lists "short" as one of the possible values,
> without explaining what it means.


Hi,

all you need is at

http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Best regards


--
Matteo Filippetto
http://op83.blogspot.com

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

julf
Matteo,

> all you need is at
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Thanks, but as I wrote:

>> I am getting a fair bit of log lines that are shown as
>> "rule def/(short)", and I can't find anything explaining
>> the meaning of things like "(short)" - the tcpdump man
>> page only lists "short" as one of the possible values,
>> without explaining what it means.

So the tcpdump(8) page states:

reason code        True if the packet was logged with the specified PF
                        reason code.  The known codes are: match, bad-offset,
                        fragment, short, normalize, memory, bad-timestamp,
                        congestion, ip-option, proto-cksum, state-mismatch,
                        state-insert, state-limit, src-limit, and synproxy

But... What does reason code "short" mean? What causes it? I am sure
the *meaning* of the reason codes are documented somewhere (rather
than just listing the possible codes), but I haven't found it. I guess
the next step is to look at the source.

        Julf

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

Ted Unangst-2
In reply to this post by matteo filippetto
On Sat, Jan 22, 2011 at 10:38 AM, matteo filippetto
<[hidden email]> wrote:
>> the meaning of things like "(short)" - the tcpdump man
>> page only lists "short" as one of the possible values,
>> without explaining what it means.

> http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

If the man page doesn't explain what short means, a link to the man
page isn't the right answer.

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

Joel Sing-3
In reply to this post by julf
On Sunday 23 January 2011, Johan Helsingius wrote:

> Matteo,
>
> > all you need is at
> >
> > http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&
> >manpath=OpenBSD+Current&arch=i386&format=html
>
> Thanks, but as I wrote:
> >> I am getting a fair bit of log lines that are shown as
> >> "rule def/(short)", and I can't find anything explaining
> >> the meaning of things like "(short)" - the tcpdump man
> >> page only lists "short" as one of the possible values,
> >> without explaining what it means.
>
> So the tcpdump(8) page states:
>
> reason code        True if the packet was logged with the specified PF
>                         reason code.  The known codes are: match,
> bad-offset, fragment, short, normalize, memory, bad-timestamp, congestion,
> ip-option, proto-cksum, state-mismatch, state-insert, state-limit,
> src-limit, and synproxy
>
> But... What does reason code "short" mean? What causes it? I am sure
> the *meaning* of the reason codes are documented somewhere (rather
> than just listing the possible codes), but I haven't found it. I guess
> the next step is to look at the source.

The "short" reason code indicates that the packet was truncated or too short
and therefore was missing information required to make a packet filtering
decision. This could be, for example, a packet that only contained the first
few bytes of an IP datagram (or a header that states that it is a particular
length, but the packet is shorter than the length given). Run `grep
PFRES_SHORT sys/net/pf*` if you want to see where/how this can occur.
--

   "Stop assuming that systems are secure unless demonstrated insecure;
    start assuming that systems are insecure unless designed securely."
          - Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

julf
> The "short" reason code indicates that the packet was truncated or too short
> and therefore was missing information required to make a packet filtering
> decision. This could be, for example, a packet that only contained the first
> few bytes of an IP datagram (or a header that states that it is a particular
> length, but the packet is shorter than the length given). Run `grep
> PFRES_SHORT sys/net/pf*` if you want to see where/how this can occur.

Yes, thanks, that is helpful. But now I am baffled by the truncated
packets, as I don't see them coming in, I only get the "short" log
lines on the *outgoing* direction on my internal interface (on
UDP packets coming back from the Internet as response to packets
sent from a machine behind the NATing firewall).

        Julf

Reply | Threaded
Open this post in threaded view
|

Re: meaning of pflog / tcpdump output

matteo filippetto
In reply to this post by julf
2011/1/22 Johan Helsingius <[hidden email]>:
> Matteo,
>
>> all you need is at
>>
>>
http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&manp
ath=OpenBSD+Current&arch=i386&format=html

>
> Thanks, but as I wrote:
>
>>> I am getting a fair bit of log lines that are shown as
>>> "rule def/(short)", and I can't find anything explaining
>>> the meaning of things like "(short)" - the tcpdump man
>>> page only lists "short" as one of the possible values,
>>> without explaining what it means.
>
> So the tcpdump(8) page states:
>
> reason code B  B  B  B True if the packet was logged with the specified PF
> B  B  B  B  B  B  B  B  B  B  B  B reason code. B The known codes are:
match, bad-offset,
> B  B  B  B  B  B  B  B  B  B  B  B fragment, short, normalize, memory,
bad-timestamp,
> B  B  B  B  B  B  B  B  B  B  B  B congestion, ip-option, proto-cksum,
state-mismatch,
> B  B  B  B  B  B  B  B  B  B  B  B state-insert, state-limit, src-limit, and
synproxy
>
> But... What does reason code "short" mean? What causes it? I am sure
> the *meaning* of the reason codes are documented somewhere (rather
> than just listing the possible codes), but I haven't found it. I guess
> the next step is to look at the source.
>
> B  B  B  B Julf
>
>

Sorry Johan.

I answered too quickly.

Best regards

--
Matteo Filippetto
http://op83.blogspot.com