>>>>> "Darren" == Darren Reed <darrenr@xxxxxxxxxxxxxxxxx> writes:
Darren> I'm not sure if Jason Thorpe (NetBSD) has caught up with this
Darren> list but in discussions with him, he's raised the prospect of
Darren> using the tcpdump save file as the format to be used for
Darren> generating log records from the kernel when doing packet
Darren> filtering. The ideas below are my own on this subject but I
Darren> would hope some of them coincide with Jason's. If you were using
Darren> IP Filter, the idea is you could do this:
This message has been sitting in my inbox for months...
Darren> fields which we think will be "the limit" on what's needed and
Darren> the second is to support the insertion of extra meta-data between
Darren> the tcpdump header record and the actual packet. Two extra
Darren> fields would be required for the second method, one to say "what
Darren> type" of meta data is following and the second would be "how
Darren> much" extra meta data is there.
I favour a magic number bump, to include this meta data, and then include
a simple length of extra data, IP option-like (well, more IFF-like).
Darren> To give you an idea of what extra fields would be required for
Darren> ipfilter logging if it used tcpdump are: - repitition count (for
Darren> identical packets logged sequentially) - interface name and
Darren> number - syslog facility and priority - rule number - group
Darren> number - flags associated with the packet (pass/block, etc) -
Darren> global logging flags set
Some of these would be useful for tcpdump output as well:
- interface name + number
- rule number (requires a definition of rule numbers for
tcpdump input. I'd call each disjoint clause
a rule)
Darren> much extra information into the tcpdump log file, explicitly
Darren> especially as it constrains the applications using it. Then
Darren> again, I'm not so sure tcpdump needs more magic numbers either...
Agreed.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [