Quantcast

rule def/(short) in tcpdump -e

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

rule def/(short) in tcpdump -e

Axel Rau
Hi,

what does
rule def/(short) [uid 0, pid 0] pass in
mean in the tcpdumped pflog?

Thanks, Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: rule def/(short) in tcpdump -e

Henning Brauer-2
* Axel Rau <[hidden email]> [2014-10-20 12:30]:
> what does
> rule def/(short) [uid 0, pid 0] pass in
> mean in the tcpdumped pflog?

def: matched the implicit default rule
short: the reason why the packet was dropped - it was shorter than it
should have been, aka pbly truncated (or malicious). grep for
PFRES_SHORT in sys/net/pf*.c for the exact cases.

when you see packets being dropped referring to the default rule taht
means as much as pf dropped it for non-rule based reasons, i. e. too
short packets and the like, that usually happens before ruleset eval.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: rule def/(short) in tcpdump -e

Axel Rau

Am 20.10.2014 um 12:35 schrieb Henning Brauer <[hidden email]>:

> def: matched the implicit default rule
> short: the reason why the packet was dropped - it was shorter than it
> should have been, aka pbly truncated (or malicious). grep for
> PFRES_SHORT in sys/net/pf*.c for the exact cases.
>
> when you see packets being dropped referring to the default rule taht
> means as much as pf dropped it for non-rule based reasons, i. e. too
> short packets and the like, that usually happens before ruleset eval.
Thanks!
Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Loading...