Thanks Ryan!
On 19/11/2008, at 7:00 PM, Ryan McBride wrote:
On Wed, Nov 19, 2008 at 01:13:32AM +0000, Stuart Henderson wrote:
On 2008/11/19 13:48, Russell Fulton wrote:
Does anyone have any suggestions as to how we can get data in pf log
files into pcap files that can be read (and filtered) on other
systems.
the packets have a "struct pfloghdr" header as described in pflog(4);
this could be chopped off. I'm not aware of existing software that
does
this, but it would be simple to code.
net/tcpreplay includes a utility called 'tcprewrite' that remove this
information (or rewrite it with whatever you want).
Ah! I do know about tcpreplay and friends but never thought of using
it for this.
"other systems" may actually understand the pfloghdr data and know how
to present it. If they don't, ask for it. The information in there can
be very useful.
Good point. MacOS will read and display the information but the
filtering is broken. The folk at Team Cymru have the same issue (I
don't know what OS they are using). It would appear that there is a
bug in this version of tcpdump. I wish I had time to pursue fixing it
and reporting bugs to Apple is a pain :(
Thanks again!
Russell
