soko.tica Wrote:
Hello, list
When I tried to see pf log of my recently installed OpenBSD 4.4
desktop box, I've got the message that snaplen has been raised from 96
to 116, even when I did give it a try with -s 96.
That is normal. The snaplen is only used for listening on an interface.
When reading a capture file, tcpdump uses the snaplen recorded in the
file, regardless of the snaplen setting.
116 is what pflogd(8) uses for recording pflog traffic. Since pflog
interface headers are bigger than ethernet headers, 116 is the minimum
you can use that can reliably capture all pflog interface headers plus
IP and TCP/UDP headers.
$ sudo tcpdump -n -e -ttt -r /var/log/pflog -s 96
Password:
tcpdump: WARNING: snaplen raised from 96 to 116
Any thoughts how to reduce it to examine the logs? Aside, could that
be a symptom of a break-in?
You can not, and even if you did, you would be truncating TCP/UDP
headers so the information you see would be incomplete. Where did 96
come from anyway? Some obscure policy written for ethernet interfaces?
Now, if somebody broke into your system, they would want to disable
logging, or reduce the amount logged, not increase it.
Can
