I'm still seeing these errors each time
tcpdump: pcap_loop: truncated dump file tcpdump: pcap_loop: bogus savefile header simply running tcpdump -nettt -r /var/log/pflog leads to the tcpdump: pcap_loop: truncated dump file. Any ideas? Below is the content of /var/log/pf-block.log Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450168 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450178 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450541 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450552 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550100 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550107 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550114 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550125 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.750482 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.750494 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:45.500168 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:45.500179 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.056424 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.546 > ff02::1:2.547:dhcp6 solicit [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.056436 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.546 > ff02::1:2.547:dhcp6 solicit [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400461 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400469 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400584 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400592 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427442 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427450 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427565 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427572 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428080 rule 10/(match) block in on vlan310: 192.168.0.4.56486 > 224.0.0.252.5355: udp 24 [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428088 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.58621 > ff02::1:3.5355: udp 24 [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428095 rule 0.\M-t.0/(match) block in on vlan)\M-E~Qh\M-\: bad-ip6-version 4 ----- Original Message ----- | I do PF log rotation for blocked packets and the latest snapshot | reports the following error each time syslog is run. Is this a bug? | | tcpdump: pcap_loop: bogus savefile header | | | /etc/pflogrotate | ================ | | #!/bin/sh | | PFLOG=/var/log/pflog | FILE=/var/log/pflog5min.$(date "+%Y%m%d%H%M") | pkill -ALRM -u root -U root -t - -x pflogd | if [ -r $PFLOG ] && [ $(stat -f %z $PFLOG) -gt 24 ]; then | mv $PFLOG $FILE | pkill -HUP -u root -U root -t - -x pflogd | tcpdump -n -e -s 160 -ttt -r $FILE | logger -t pf -p local0.info | rm $FILE | fi | | | /etc/syslog.conf | ================ | | local0.info /var/log/pf-block.log | | | -- | James A. Peltier | Manager, IT Services - Research Computing Group | Simon Fraser University - Burnaby Campus | Phone : 778-782-6573 | Fax : 778-782-3045 | E-Mail : [email protected] | Website : http://www.sfu.ca/itservices | | “A successful person is one who can lay a solid foundation from the | bricks others have thrown at them.” -David Brinkley via Luke Shaw | | -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : [email protected] Website : http://www.sfu.ca/itservices “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw
