On Sunday 23 January 2011, Johan Helsingius wrote:
> Matteo,
>
> > all you need is at
> >
> > http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=0&;
> >manpath=OpenBSD+Current&arch=i386&format=html
>
> Thanks, but as I wrote:
> >> I am getting a fair bit of log lines that are shown as
> >> "rule def/(short)", and I can't find anything explaining
> >> the meaning of things like "(short)" - the tcpdump man
> >> page only lists "short" as one of the possible values,
> >> without explaining what it means.
>
> So the tcpdump(8) page states:
>
> reason code True if the packet was logged with the specified PF
> reason code. The known codes are: match,
> bad-offset, fragment, short, normalize, memory, bad-timestamp, congestion,
> ip-option, proto-cksum, state-mismatch, state-insert, state-limit,
> src-limit, and synproxy
>
> But... What does reason code "short" mean? What causes it? I am sure
> the *meaning* of the reason codes are documented somewhere (rather
> than just listing the possible codes), but I haven't found it. I guess
> the next step is to look at the source.
The "short" reason code indicates that the packet was truncated or too short
and therefore was missing information required to make a packet filtering
decision. This could be, for example, a packet that only contained the first
few bytes of an IP datagram (or a header that states that it is a particular
length, but the packet is shorter than the length given). Run `grep
PFRES_SHORT sys/net/pf*` if you want to see where/how this can occur.
--
"Stop assuming that systems are secure unless demonstrated insecure;
start assuming that systems are insecure unless designed securely."
- Bruce Schneier
