Ethereal-dev: Re: [Ethereal-dev] bug in ethereal version 0.9.11 concerning pflog

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "John Scarfone" <kg4exy@xxxxxxxxxxx>
Date: Thu, 01 May 2003 21:21:50 -0400
Looks like you're correct. This did change between OpenBSD versions 3.2 and 3.3. I was unaware of that. The change was made here: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h.diff?r1=1.123&r2=1.124&f=h

So this isn't really an Ethereal bug.

It would be nice though if eventually the Ethereal decoding was changed to work with the latest OpenBSD version.

On Thu, May 01, 2003 at 02:02:13PM -0400, John Scarfone wrote:
> It looks like the values for pflog.dir are incorrect.  OpenBSD 3.3 has
> values of:
>
> PF_INOUT 0 (not used?)
> PF_IN    1
> PF_OUT   2
>
> It looks like Ethereal treats the value 0 as IN and 1 as OUT.

...which is correct for OpenBSD up to 3.2.

I don't know what writes out DLT_PFLOG captures, but if whatever writes
out DLT_PFLOG captures writes out, in OpenBSD up to 3.2, a value of 0
for IN and a value of 1 for OUT, but writes out a value of 1 for IN and
a value of 2 for OUT in 3.3, and there's no way, from looking at the
capture, to determine whether it came from pre-3.3 or 3.3-or-later, then
somebody screwed up - if somebody writes out some system data structure
to a file, then if the layout of that structure, or the interpretation
of values in that structure, changes, that file had better have some
kind of version stamp so that code that reads the file can figure out
what structure layout and value interpretation should be used, or they
should arrange that old-style values continue to be written to the file.

Or, to put it another way, if there's a DLT_ value, there should be
something written down to give the interpretation of the fields in the
link-layer header (if any) for that value, including explicitly
specifying *numerical values* if particular values of fields have
particular meanings, and you shouldn't be allowed to change the
link-layer header for that DLT_ value in a way that makes that
documentation no longer valid.


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963