pflog problem

On a box that got recently upgraded to current, I am having
a problem 
reading from the pflog file.

Not sure what are the "unknown" bits are, but I
cant match hosts.

e.g. here are the last few entries in /var/log/pflog

[zoo]# tcpdump -ner /var/log/pflog | tail -10
reading from file /var/log/pflog, link-type PFLOG (OpenBSD
pflog file)
13:43:33.182398 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776712857 2692640929>
13:43:35.622474 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776713101 2692640929>
13:43:40.501939 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776713589 2692640929>
13:43:43.279628 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: . ack 1 win 5840 
<nop,nop,timestamp 2776713866 2692640929>
13:43:50.262294 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776714565 2692640929>
13:44:09.783308 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776716517 2692640929>
13:44:48.823375 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776720421 2692640929>
13:46:06.904224 rule 4/0(match): block unkn(255) on rl0: 
60.12.128.147.4256 > 64.7.141.9.22: F 0:0(0) ack 1 win
5840 
<nop,nop,timestamp 2776728229 2692640929>
13:50:29.020966 rule 7/0(match): block unkn(255) on rl0: 
207.231.228.166.31047 > 64.7.141.9.1026: UDP, length 365
13:52:25.229899 rule 7/0(match): block unkn(255) on rl0: 
64.7.128.102.55203 > 64.7.141.9.23: S
623064939:623064939(0) win 
65535 <mss 1460,nop,wscale 1,nop,nop,times


Should not the command

[zoo]# tcpdump -ner /var/log/pflog host 60.12.128.147
reading from file /var/log/pflog, link-type PFLOG (OpenBSD
pflog file)
[zoo]#

match some of the above entries ?

I see the same issue on pflog0

[zoo]# tcpdump  -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture 
size 96 bytes
13:58:38.138472 rule 7/0(match): block unkn(255) on rl0: 
64.7.128.102.60319 > 64.7.141.9.23: [|tcp]
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
[zoo]# tcpdump -nei pflog0 host 64.7.128.102
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture 
size 96 bytes


I should see entries on the second tcpdump of pflog0, but it
too does 
not filter it correctly.

It is hitting the rule

block  in log on $ext_if all

         ---Mike


------------------------------------------------------------
--------
Mike Tancsa,                                      tel +1 519
651 3400
Sentex Communications,                            mikesentex.net
Providing Internet since 1994                   
www.sentex.net
Cambridge, Ontario Canada                        
www.sentex.net/mike

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

At 02:56 PM 9/12/2007, Max Laier wrote:

>You are missing the attached patch - which I am trying
to get through
>tcpdump.org.  The pflog header changed (once again) and
changes are
>required.  Sorry for the mess.

Hi,
         Thanks very much, that does indeed fix the
problem!

         ---Mike 

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"