NetBSD Problem Report #34733
From www@NetBSD.org Fri Oct 6 14:38:03 2006
Return-Path: <www@NetBSD.org>
Received: by narn.NetBSD.org (Postfix, from userid 31301)
id 161F763B8C9; Fri, 6 Oct 2006 14:38:03 +0000 (UTC)
Message-Id: <20061006143803.161F763B8C9@narn.NetBSD.org>
Date: Fri, 6 Oct 2006 14:38:03 +0000 (UTC)
From: bseklecki@collaborativefusion.com
Reply-To: bseklecki@collaborativefusion.com
To: gnats-bugs@NetBSD.org
Subject: tcpdump(8) requires default snaplen > 68 for pflog(4)
X-Send-Pr-Version: www-1.0
>Number: 34733
>Category: bin
>Synopsis: tcpdump(8) requires default snaplen > 68 for pflog(4)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Fri Oct 06 14:40:00 +0000 2006
>Last-Modified: Thu Sep 18 20:40:02 +0000 2008
>Originator: Brian A. Seklecki
>Release: NetBSD 3.0_STABLE
>Organization:
Collaborative Fusion, Inc.
>Environment:
NetBSD 3.0_STABLE (GENERIC+IPSEC-$Revision: 1.169.4.2 $) #3: Wed Jul 12 20:10:13 EDT 2006
>Description:
FreeBSD and OpenBSD have upped the default snaplen (-s #) to thier in-tree tcpdump(8) to 96 to accomodate for additional packet-level info (such as source and destination TCP/UDP ports) which get truncated by the present NetBSD default snaplen of 68, marginalizing the usefullness of pflog(4) without special flags to tcpdump(8).
>How-To-Repeat:
Run the tcpdump(8) example in pflog(4) w/o "-s 96"
>Fix:
-) Append the flag to your tcpdump(8) command
-) Patch the tcpdump(8) example command in pflog(4)
-) Change the default snaplen in tcpdump
I will check with the upstream vendor to see what's up.
~BAS
>Audit-Trail:
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/34733
Date: Sat, 25 Nov 2006 12:18:47 -0600 (CST)
src/dist/tcpdump/interface.h has:
/*
* The default snapshot length. This value allows most printers to print
* useful information while keeping the amount of unwanted data down.
*/
#ifndef INET6
#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
#else
#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
#endif
I wonder where the problem is.
INET6 is defined in src/usr.sbin/tcpdump/Makefile
Do you have USE_INET6=no??
From: "Brian A. Seklecki" <bseklecki@collaborativefusion.com>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/34733
Date: Tue, 19 Dec 2006 15:12:14 -0500
Right; this is on a profiled system w/ :
mk.conf(5)
USE_INET6=no
MKINET6=no
NO_INET6=yes
So the problem only surfaces because the 96byte Snaplen is required for
both IPv6 _and_ CARP, and since CARP can work in IPv4-only environments,
it is a rare bug, but almost certainly warrants either:
-) run-time instead of compile-time checks
-) changing the default snaplen globally
...which doesn't seem like it'll have an detrimental performance impact
other than extremely high volume ipv4-only sites (which are probably
using libpcap/tcpdump from pkgsrc anyway)
~BAS
>
> src/dist/tcpdump/interface.h has:
>
> /*
> * The default snapshot length. This value allows most printers to print
> * useful information while keeping the amount of unwanted data down.
> */
> #ifndef INET6
> #define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */
> #else
> #define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */
> #endif
>
> I wonder where the problem is.
> INET6 is defined in src/usr.sbin/tcpdump/Makefile
>
> Do you have USE_INET6=no??
>
>
>
>
>
>
>
--
Brian A. Seklecki <bseklecki@collaborativefusion.com>
Collaborative Fusion, Inc.
From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
To: tech-userlevel@netbsd.org, "Jeremy C. Reed" <reed@reedmedia.net>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/34733: tcpdump(8) requires default snaplen > 68 for
pflog(4)
Date: Thu, 18 Sep 2008 16:39:44 -0400
Since I'm on a roll this week, I'd like to revisit this ticket as well.
Would it be possible to bump the default snaplen variables in
src/dist/tcpdump/interface.h to something more pf(4)-friendly
(independent of INET6)
Other suggestions include modifying the default snaplen on a
per-interface-type basis.
Thoughts?
~BAS
On Fri, 2006-10-06 at 14:40 +0000, gnats-admin@netbsd.org wrote:
> Thank you very much for your problem report.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.