NetBSD Problem Report #34733

From www@NetBSD.org  Fri Oct  6 14:38:03 2006
Return-Path: <www@NetBSD.org>
Received: by narn.NetBSD.org (Postfix, from userid 31301)
	id 161F763B8C9; Fri,  6 Oct 2006 14:38:03 +0000 (UTC)
Message-Id: <20061006143803.161F763B8C9@narn.NetBSD.org>
Date: Fri,  6 Oct 2006 14:38:03 +0000 (UTC)
From: bseklecki@collaborativefusion.com
Reply-To: bseklecki@collaborativefusion.com
To: gnats-bugs@NetBSD.org
Subject: tcpdump(8) requires default snaplen > 68 for pflog(4)
X-Send-Pr-Version: www-1.0

>Number:         34733
>Category:       bin
>Synopsis:       tcpdump(8) requires default snaplen > 68 for pflog(4)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 06 14:40:00 +0000 2006
>Last-Modified:  Thu Sep 18 20:40:02 +0000 2008
>Originator:     Brian A. Seklecki
>Release:        NetBSD 3.0_STABLE
>Organization:
Collaborative Fusion, Inc.
>Environment:
NetBSD 3.0_STABLE (GENERIC+IPSEC-$Revision: 1.169.4.2 $) #3: Wed Jul 12 20:10:13 EDT 2006

>Description:
FreeBSD and OpenBSD have upped the default snaplen (-s #) to thier in-tree tcpdump(8) to 96 to accomodate for additional packet-level info (such as source and destination TCP/UDP ports) which get truncated by the present NetBSD default snaplen of 68, marginalizing the usefullness of pflog(4) without special flags to tcpdump(8).
>How-To-Repeat:
Run the tcpdump(8) example in pflog(4) w/o "-s 96"
>Fix:
-) Append the flag to your tcpdump(8) command
-) Patch the tcpdump(8) example command in pflog(4)
-) Change the default snaplen in tcpdump 

I will check with the upstream vendor to see what's up.

~BAS

>Audit-Trail:
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/34733
Date: Sat, 25 Nov 2006 12:18:47 -0600 (CST)

 src/dist/tcpdump/interface.h has:

 /*
  * The default snapshot length.  This value allows most printers to print
  * useful information while keeping the amount of unwanted data down.
  */
 #ifndef INET6
 #define DEFAULT_SNAPLEN 68      /* ether + IPv4 + TCP + 14 */
 #else
 #define DEFAULT_SNAPLEN 96      /* ether + IPv6 + TCP + 22 */
 #endif

 I wonder where the problem is.
 INET6 is defined in src/usr.sbin/tcpdump/Makefile

 Do you have USE_INET6=no??

From: "Brian A. Seklecki" <bseklecki@collaborativefusion.com>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/34733
Date: Tue, 19 Dec 2006 15:12:14 -0500

 Right; this is on a profiled system w/ :

 mk.conf(5)
 USE_INET6=no
 MKINET6=no
 NO_INET6=yes

 So the problem only surfaces because the 96byte Snaplen is required for
 both IPv6 _and_ CARP, and since CARP can work in IPv4-only environments,
 it is a rare bug, but almost certainly warrants either:

 -) run-time instead of compile-time checks
 -) changing the default snaplen globally 

 ...which doesn't seem like it'll have an detrimental performance impact
 other than extremely high volume ipv4-only sites (which are probably
 using libpcap/tcpdump from pkgsrc anyway)

 ~BAS

 > 
 >  src/dist/tcpdump/interface.h has:
 >  
 >  /*
 >   * The default snapshot length.  This value allows most printers to print
 >   * useful information while keeping the amount of unwanted data down.
 >   */
 >  #ifndef INET6
 >  #define DEFAULT_SNAPLEN 68      /* ether + IPv4 + TCP + 14 */
 >  #else
 >  #define DEFAULT_SNAPLEN 96      /* ether + IPv6 + TCP + 22 */
 >  #endif
 >  
 >  I wonder where the problem is.
 >  INET6 is defined in src/usr.sbin/tcpdump/Makefile
 >  
 >  Do you have USE_INET6=no??
 >  
 > 
 > 
 > 
 > 
 > 
 > 
 -- 
 Brian A. Seklecki <bseklecki@collaborativefusion.com>
 Collaborative Fusion, Inc.

From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
To: tech-userlevel@netbsd.org, "Jeremy C. Reed" <reed@reedmedia.net>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/34733: tcpdump(8) requires default snaplen > 68 for
	pflog(4)
Date: Thu, 18 Sep 2008 16:39:44 -0400

 Since I'm on a roll this week, I'd like to revisit this ticket as well.

 Would it be possible to bump the default snaplen variables in
 src/dist/tcpdump/interface.h to something more pf(4)-friendly
 (independent of INET6)

 Other suggestions include modifying the default snaplen on a
 per-interface-type basis.

 Thoughts?

 ~BAS

 On Fri, 2006-10-06 at 14:40 +0000, gnats-admin@netbsd.org wrote:
 > Thank you very much for your problem report.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.