[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: odd things in pf drop logs...



On Thu, Nov 17, 2005 at 04:31:37PM +1300, Russell Fulton wrote:
> sudo tcpdump -ttn -i pflog0 src net 130.216 | grep -v '130.216'
> 1132197414.953036 44.201.164.226 > 223.198.129.20: at-#150 2
> 1132197414.953216 162.179.205.94 > 201.126.84.84: at-#205 2
> 1132197414.953249 118.221.55.38 > 202.250.187.185: at-#8 2
> 1132197414.953356 10.111.197.35 > 206.119.250.10: at-#63 2
> 1132197419.017820 222.1.252.13 > 205.243.180.221: at-#141 2
> 1132197420.020168 243.11.220.239 > 199.109.236.92: at-#246 2
> 1132197420.020232 39.101.239.105 > 196.233.184.35: at-#141 2
> 1132197420.020466 91.215.220.115 > 192.100.78.192: at-#135 2
> 1132197420.020716 143.185.248.140 > 195.224.249.254: at-#150 2
> 1132197425.029290 202.227.188.37 > 157.143.187.152: at-#231 2
> 1132197426.033726 30.141.191.130 > 158.11.15.71: at-#202 2
> 
> There are two questions here:
> 1/ what are these 'packets' and
> 2/ why are they getting selected when the filter says src net 130.216?
I'm not sure. It looks like the only part of tcpdump that can
potentially print the "at-#" part is print-atalk.c, pretty-printing
AppleTalk packets.
Can you make sure you get untruncated packets and print them with
  tcpdump -nvvvX -s 1600 -i pflog0 ...
so we get a little more verbose output?
Maybe try 'src net 130.216.0.0/16', in case this is an issue here.
Daniel