Re: A question about examining pf loging data

2005-09-13 Thread Can Erkin Acar
ed <[EMAIL PROTECTED]> wrote: > Thats good, thanks, I thought tcpdump was IP layer only, because of > the name. While tcpdump is not IP layer only, pf is. So you will not be able to see ARP packets or ethernet addresses when reading pflog. Can > On Tue, 13 Sep 2005 14:38:09 +0300 > Huzeyfe Onal

Re: A question about examining pf loging data

2005-09-13 Thread ed
Thats good, thanks, I thought tcpdump was IP layer only, because of the name. On Tue, 13 Sep 2005 14:38:09 +0300 Huzeyfe Onal <[EMAIL PROTECTED]> wrote: > try #tcpdump arp to see only arp packages. > wants to get link-level header? Add -e option.. > > > 2005/9/12, ed <[EMAIL PROTECTED]>: >

Re: A question about examining pf loging data

2005-09-13 Thread Huzeyfe Onal
try #tcpdump arp to see only arp packages. wants to get link-level header? Add -e option.. 2005/9/12, ed <[EMAIL PROTECTED]>: > On Mon, 12 Sep 2005 13:26:19 -0400 > "Will H. Backman" <[EMAIL PROTECTED]> wrote: > > > > > > > This has most of the data that I need, but it seems to be missing > >

Re: A question about examining pf loging data

2005-09-12 Thread ed
On Mon, 12 Sep 2005 13:26:19 -0400 "Will H. Backman" <[EMAIL PROTECTED]> wrote: > > > > This has most of the data that I need, but it seems to be missing > > one thing > > that I think is important. How can I determine if the traffic is > > TCP/UDP/ICMP etc? > > > If you have ack and window flag

Re: A question about examining pf loging data

2005-09-12 Thread Jason McIntyre
On Mon, Sep 12, 2005 at 01:03:39PM -0400, stan wrote: > > I've captured a bit of data as pflog files. Then I've processed these files > with: > > tcpdump -n -e - > > Which results in data records like this: > > 2005-09-08 20:26:40.328379 rule 5/0(match): pass out on fxp0: IP > 170.85.113.

Re: A question about examining pf loging data

2005-09-12 Thread Will H. Backman
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > stan > Sent: Monday, September 12, 2005 1:04 PM > To: OpenBSD general usage list > Subject: A question about examining pf loging data > > I've set up a transparent bri

Re: A question about examining pf loging data

2005-09-12 Thread Bryan Irvine
On 9/12/05, stan <[EMAIL PROTECTED]> wrote: > I've set up a transparent bridge, with pf in "pass all log" mode to capture > data to/from a particular subnet. I am gathering data about the traffic > that passes through this gateway in order to prepare for installing a > firewall. Although I've enve

A question about examining pf loging data

2005-09-12 Thread stan
I've set up a transparent bridge, with pf in "pass all log" mode to capture data to/from a particular subnet. I am gathering data about the traffic that passes through this gateway in order to prepare for installing a firewall. I've captured a bit of data as pflog files. Then I've processed these