isakmpd(8) man page: clarify IKE packet capture file

Sat, 04 Jun 2011 19:38:50 -0700 

isakmpd(8)'s -L command-line option enables IKE packet capture. It is
documented on the isakmpd(8) man page as follows:

  -L   Enable IKE packet capture.  When this option is given, isakmpd
       will capture to file an unencrypted copy of the negotiation
       packets it is sending and receiving. This file can later be read
       by tcpdump(8) and other utilities using pcap(3).

The documentation is currently not clear exactly which file isakmpd
will use to log the packet captures. The correct file *is* listed in
the FILES section (it is /var/run/isakmpd.pcap); however, I think it
would be helpful to mention that file in the description of -L itself,
so that the reader would not have to hunt for it throughout the entire
man page.

Similarly, the "p on/off" FIFO commands to enable IKE packet capture
are documented as follows:

  p on[=<path>]
  p off   Enable or disable cleartext IKE packet capture.
          When enabling, optionally specify which file isakmpd should
          capture the packets to.

Again, the default file is not mentioned. What is also not documented
is, if an alternate file is specified via "p on=/path/to/altfile", its
path must begin with /var/run (I found out the hard way :)).

The following diff improves the documentation by specifying the default
packet capture file in the text for -L itself, and also documents the
restriction about the alternate file path for the "p on" FIFO command
(borrowing some text from the -l option).

Any thoughts or comments?

Lawrence


Index: isakmpd.8
===================================================================
RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v
retrieving revision 1.107
diff -u -p -r1.107 isakmpd.8
--- isakmpd.8   7 Jun 2010 08:38:09 -0000       1.107
+++ isakmpd.8   5 Jun 2011 02:09:21 -0000
@@ -249,7 +249,9 @@ or
 Enable IKE packet capture.
 When this option is given,
 .Nm
-will capture to file an unencrypted copy of the negotiation packets it
+will capture to
+.Pa /var/run/isakmpd.pcap
+an unencrypted copy of the negotiation packets it
 is sending and receiving.
 This file can later be read by
 .Xr tcpdump 8
@@ -469,9 +471,12 @@ In passive mode no packets are sent to p
 .Xc
 .It Ic p off
 Enable or disable cleartext IKE packet capture.
-When enabling, optionally specify which file
-.Nm
-should capture the packets to.
+When enabling, packets are captured to
+.Pa /var/run/isakmpd.pcap ;
+optionally, an alternate file can be specified but
+note that only paths beginning with
+.Pa /var/run
+are allowed.
 .Pp
 .It Ic Q
 Cleanly shutdown the daemon, as when sent a

Reply via email to