[nycbug-talk] some C help?

[Brian A. Seklecki]

>>> spamlogd is using):
>>>
>>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68
>>> bytes
>>> rule 12/0(match): pass out on fxp0: 10.10.10.9 > 10.10.10.10: [|tcp]
>>>
>>> But then it spits this out to syslog:


This bug is pretty well documented in a ticket I opened with the NetBSD 
folks on the default size of the "snaplen" size being determined based on 
the presence of the IPv6 at compile-time v.s. run-time v.s "-i" argument.

http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=34733

-s 96 or -s 128 for the win.

~BAS


>>>
>>> Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
>>>
>>> Note the lack of the final octet.
>>>
>>> This is (I hope) the area where spamlogd parses the output of tcpdump:
>>
>> yes, it is, but no need to analyze it...
>>
>> it does its job correctly.
>>
>>> That chunk makes very little sense to me.
>>>
>>> Can anyone give me a quick shove in the right direction?
>>
>> ...and the reason yours is failing is not because of that chunk of code,
>> but rather your pflog interface.  it should look like:
>>
>> 	[blah] 10.10.10.9.XXXX > 10.10.10.10.25: [blah]
>>
>> where XXXX is an ephemeral port...basically your log is dropping the
>> port number. why? i don't know - what does your pf rule look like?
>
> oh, and i'll add that -current (and 4.1) doesn't spawn tcpdump any more,
> but uses pcap directly....plus lots of other yummy features - ask for
> the port to get upgraded ;)
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."