On Oct 27, 2014, at 6:12 AM, Jason Pyeron <jpye...@pdinc.us> wrote: > On Oct 27, 2014, at 1:47 PM, Guy Harris <g...@alum.mit.edu> wrote: > >> On Oct 26, 2014, at 7:55 PM, "Jason Pyeron" <jpye...@pdinc.us> wrote: >> >>> When I './tcpdump -r -' I get a: >>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>> tcpdump: packet printing is not supported for link type PFLOG: use -w >>> >>> I am using tcpdump 4ac7226 and libpcap 625575f. >>> >>> Did I miss a configure option? >> >> Are you building on an operating system that supports PFLOG >> as a filter mechanism? > > Not even close.
I.e., you're not building it on a FreeBSD 8.1, 8.2, or 8.3 system? >> I think the only OSes that support those options are OpenBSD >> and FreeBSD; if you're not building on those OSes, you can't >> read PFLOG files, because the developers of PFLOG apparently >> found it too difficult either to standardize the PFLOG header >> or to add a version field to it, so that >> LINKTYPE_PFLOG/DLT_PFLOG can be a standard format in pcap and >> pcap-ng files writable by one operating system and readable >> by a different operating system, rather than a file whose >> format is OS and OS-version dependent and that therefor can >> only be read by a program expecting a particular OS version's >> flavor of PFLOG. > > Nice job BSD people. Could there be a way to force support for a specific > version? In my case FreeBSD 8.1-RELEASE-p13 / FreeBSD 8.3-RELEASE-p16. So I assume you're *not* building on one of those OSes, or on any other version of FreeBSD or OpenBSD or any other OS on which there's a /usr/include/net/pfvar.h header? If there *is* a /usr/include/net/pfvar.h header on your system, the configure script *should* have figured out that it's there and configured the pflog printer in. However, it'll handle the PFLOG format that the "struct pfloghdr" defined in the /usr/include/net/if_pflog.h header defines. If there *isn't* a /usr/include/net/pfvar.h header on your system, you'd have to copy /usr/include/net/pfvar.h and /usr/include/net/if_pflog.h from the one of the FreeBSD systems in question to /usr/include/net on your machine, and re-run the configure script and try to build. (You might have to tweak the copied-over headers to get the compilation to work on your machine.) If the different FreeBSD versions have different "struct pfloghdr" structure layouts, you'll need to build different versions of tcpdump for them! >> (And if you *are* building on those OSes, what you'll get is >> a version of tcpdump that can read dumps from that particular >> version of the OS, but won't necessarily be able to read >> dumps from other versions of the same OS or other OSes.) > > This may be off topic but how does wireshark deal with this issue? By having a particular message format hardwired into it. I don't know what OS versions that handles. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
