I've set up a transparent bridge, with pf in "pass all log" mode to capture data to/from a particular subnet. I am gathering data about the traffic that passes through this gateway in order to prepare for installing a firewall.
I've captured a bit of data as pflog files. Then I've processed these files with: tcpdump -n -e -tttt Which results in data records like this: 2005-09-08 20:26:40.328379 rule 5/0(match): pass out on fxp0: IP 170.85.113.49.3 092 > 170.85.107.35.1500: . 1460:2920(1460) ack 1 win 63947 This has most of the data that I need, but it seems to be missing one thing that I think is important. How can I determine if the traffic is TCP/UDP/ICMP etc? Reading the tcpdump man page did not lead me to an answer. If I look at the raw logfiles with ethereal, I see that the "type" data is there, but I don't know how to get it printed in the processed data file. Suggestions? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
