[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf & tcpdump on 3.0


I run a OpenBSD 3.0 machine with pf. Runs nice and I can monitor logs
through tcpdump -netttvi pflog0 or check the binary log files through
tcpdump -netttvr /var/log/pflog.

However, I don't have X running so I copy the pflog file to another
machine in order to load it in Ethereal. That won't work. Ethereal
doesn't load the pflog file and says something like "unknown data link
type 17".

I tried tcpdump -netttvr pflog on other machines (FreeBSD and Linux,
tcpdump versions 3.6.0 and 3.4.x) and
they can't read the file saying "unknown data link type 17" or do read
the file but the output is totally messed up.

After that I tried to run it through tcpshow and tcpflow on the OpenBSD 
on the OpenBSD 3.0 box and also these tools can't handle the pflog file 
with a "unknown data link type 17" error. 

Does someone have a clue on why I can't read the pflog files, except 
with OpenBSD 3.0's tcpdump version 3.4.0? 

thanx for any answer/clue

Gr. Arjan
Eat hard
Sleep hard
Wear glasses if you need them

Visit your host, monkey.org