Wireshark · Ethereal-dev: [Ethereal-dev] diff to grok openbsd firewall logs

Ethereal-dev: [Ethereal-dev] diff to grok openbsd firewall logs
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Mike Frantzen <frantzen@xxxxxxx>
Date: Sat, 29 Dec 2001 22:59:54 -0600
This will let ethereal attach to the OpenBSD 3.0 firewall logging
virtual interface and also read the offline logs.

It also adds col_insert_fstr() so the dissector can prepend the firewall
rule action, the applied rule number and the interface to the
info column.


Index: Makefile.am
===================================================================
RCS file: /cvsroot/ethereal/Makefile.am,v
retrieving revision 1.402
diff -u -r1.402 Makefile.am
--- Makefile.am	2001/12/27 05:24:20	1.402
+++ Makefile.am	2001/12/30 04:49:27
@@ -207,6 +207,7 @@
 	packet-osi-options.c \
 	packet-ospf.c  \
 	packet-pcnfsd.c \
+	packet-pflog.c \
 	packet-pgm.c   \
 	packet-pim.c   \
 	packet-pop.c   \
Index: acconfig.h
===================================================================
RCS file: /cvsroot/ethereal/acconfig.h,v
retrieving revision 1.21
diff -u -r1.21 acconfig.h
--- acconfig.h	2001/12/12 05:26:53	1.21
+++ acconfig.h	2001/12/30 04:49:27
@@ -42,6 +42,8 @@
 
 #undef HAVE_PCAP_VERSION
 
+#undef HAVE_PFLOG
+
 #undef PLUGIN_DIR
 
 #undef RED_HAT_MODIFIED_UCD_SNMP
Index: configure.in
===================================================================
RCS file: /cvsroot/ethereal/configure.in,v
retrieving revision 1.143
diff -u -r1.143 configure.in
--- configure.in	2001/12/23 21:11:23	1.143
+++ configure.in	2001/12/30 04:49:29
@@ -459,6 +459,16 @@
 AC_CHECK_HEADERS(arpa/inet.h)
 AC_CHECK_HEADERS(iconv.h)
 
+AC_CHECK_HEADERS(net/if_pflog.h net/pfvar.h)
+AC_MSG_CHECKING(whether to dissect pflog packets)
+if test "$ac_cv_header_net_if_pflog_h" = yes -a \
+   "$ac_cv_header_net_pfvar_h" = yes ; then
+  AC_MSG_RESULT(yes)
+  AC_DEFINE(HAVE_PFLOG)
+else
+  AC_MSG_RESULT(no)
+fi
+
 dnl SSL Check
 SSL_LIBS=''
 AC_MSG_CHECKING(whether to use SSL library if available)
Index: epan/column-utils.c
===================================================================
RCS file: /cvsroot/ethereal/epan/column-utils.c,v
retrieving revision 1.9
diff -u -r1.9 epan/column-utils.c
--- epan/column-utils.c	2001/12/10 02:15:54	1.9
+++ epan/column-utils.c	2001/12/30 04:49:32
@@ -150,6 +150,7 @@
       cinfo->col_data[i] = cinfo->col_buf[i];
     }
   }
+  va_end(ap);
 }
 
 /* Appends a vararg list to a packet info string. */
@@ -178,6 +179,45 @@
       cinfo->col_data[i] = cinfo->col_buf[i];
     }
   }
+  va_end(ap);
+}
+
+/* Insert a vararg list to a packet info string. */
+void
+col_insert_fstr(column_info *cinfo, gint el, gchar *format, ...)
+{
+  va_list ap;
+  int     i, safe_orig = FALSE;
+  char   *orig = NULL;
+  size_t  max_len;
+  
+  if (el == COL_INFO)
+	max_len = COL_MAX_INFO_LEN;
+  else
+	max_len = COL_MAX_LEN;
+  
+  va_start(ap, format);
+  for (i = 0; i < cinfo->num_cols; i++) {
+    if (cinfo->fmt_matx[i][el]) {
+      if (cinfo->col_data[i] != cinfo->col_buf[i]) {
+      	/* This was set with "col_set_str()"; which is effectively const */
+        orig = cinfo->col_data[i];
+      } else {
+        /* Need to cache the original string */
+        if (!safe_orig) {
+          orig = alloca(max_len);
+          safe_orig = TRUE;
+        }
+	strncpy(orig, cinfo->col_buf[i], max_len);
+	orig[max_len - 1] = '\0';
+      }
+      vsnprintf(cinfo->col_buf[i], max_len, format, ap);
+      strncat(cinfo->col_buf[i], orig, max_len);
+      cinfo->col_buf[i][max_len - 1] = '\0';
+      cinfo->col_data[i] = cinfo->col_buf[i];
+    }
+  }
+  va_end(ap);
 }
 
 /* Use this if "str" points to something that won't stay around (and
Index: epan/column-utils.h
===================================================================
RCS file: /cvsroot/ethereal/epan/column-utils.h,v
retrieving revision 1.5
diff -u -r1.5 epan/column-utils.h
--- epan/column-utils.h	2001/12/10 00:26:16	1.5
+++ epan/column-utils.h	2001/12/30 04:49:32
@@ -48,9 +48,12 @@
     __attribute__((format (printf, 3, 4)));
 extern void	col_append_fstr(column_info *, gint, gchar *, ...)
     __attribute__((format (printf, 3, 4)));
+extern void	col_insert_fstr(column_info *, gint, gchar *, ...)
+    __attribute__((format (printf, 3, 4)));
 #else
 extern void	col_add_fstr(column_info *, gint, gchar *, ...);
 extern void	col_append_fstr(column_info *, gint, gchar *, ...);
+extern void	col_insert_fstr(column_info *, gint, gchar *, ...);
 #endif
 extern void	col_add_str(column_info *, gint, const gchar *);
 extern void	col_append_str(column_info *, gint, gchar *);
Index: epan/plugins.c
===================================================================
RCS file: /cvsroot/ethereal/epan/plugins.c,v
retrieving revision 1.44
diff -u -r1.44 epan/plugins.c
--- epan/plugins.c	2001/12/03 10:00:21	1.44
+++ epan/plugins.c	2001/12/30 04:49:36
@@ -288,6 +288,7 @@
 	patable.p_col_clear			= col_clear;
 	patable.p_col_add_fstr			= col_add_fstr;
 	patable.p_col_append_fstr		= col_append_fstr;
+	patable.p_col_insert_fstr		= col_insert_fstr;
 	patable.p_col_add_str			= col_add_str;
 	patable.p_col_append_str		= col_append_str;
 	patable.p_col_set_str			= col_set_str;
Index: plugins/plugin_api.c
===================================================================
RCS file: /cvsroot/ethereal/plugins/plugin_api.c,v
retrieving revision 1.32
diff -u -r1.32 plugins/plugin_api.c
--- plugins/plugin_api.c	2001/12/03 10:00:22	1.32
+++ plugins/plugin_api.c	2001/12/30 04:49:37
@@ -38,6 +38,7 @@
 	p_col_clear				= pat->p_col_clear;
 	p_col_add_fstr				= pat->p_col_add_fstr;
 	p_col_append_fstr			= pat->p_col_append_fstr;
+	p_col_insert_fstr			= pat->p_col_insert_fstr;
 	p_col_add_str				= pat->p_col_add_str;
 	p_col_append_str			= pat->p_col_append_str;
 	p_col_set_str				= pat->p_col_set_str;
Index: plugins/plugin_api.h
===================================================================
RCS file: /cvsroot/ethereal/plugins/plugin_api.h,v
retrieving revision 1.32
diff -u -r1.32 plugins/plugin_api.h
--- plugins/plugin_api.h	2001/12/03 10:00:23	1.32
+++ plugins/plugin_api.h	2001/12/30 04:49:38
@@ -38,6 +38,7 @@
 #define	col_clear			(*p_col_clear)
 #define	col_add_fstr			(*p_col_add_fstr)
 #define	col_append_fstr			(*p_col_append_fstr)
+#define	col_insert_fstr			(*p_col_insert_fstr)
 #define	col_add_str			(*p_col_add_str)
 #define	col_append_str			(*p_col_append_str)
 #define	col_set_str			(*p_col_set_str)
Index: plugins/plugin_api_defs.h
===================================================================
RCS file: /cvsroot/ethereal/plugins/plugin_api_defs.h,v
retrieving revision 1.8
diff -u -r1.8 plugins/plugin_api_defs.h
--- plugins/plugin_api_defs.h	2001/12/03 10:00:23	1.8
+++ plugins/plugin_api_defs.h	2001/12/30 04:49:38
@@ -27,6 +27,7 @@
 addr_col_clear				p_col_clear;
 addr_col_add_fstr			p_col_add_fstr;
 addr_col_append_fstr			p_col_append_fstr;
+addr_col_insert_fstr			p_col_insert_fstr;
 addr_col_add_str			p_col_add_str;
 addr_col_append_str			p_col_append_str;
 addr_col_set_str			p_col_set_str;
Index: plugins/plugin_table.h
===================================================================
RCS file: /cvsroot/ethereal/plugins/plugin_table.h,v
retrieving revision 1.35
diff -u -r1.35 plugins/plugin_table.h
--- plugins/plugin_table.h	2001/12/10 01:48:27	1.35
+++ plugins/plugin_table.h	2001/12/30 04:49:39
@@ -32,6 +32,7 @@
 typedef void (*addr_col_clear)(column_info*, gint);
 typedef void (*addr_col_add_fstr)(column_info*, gint, gchar*, ...);
 typedef void (*addr_col_append_fstr)(column_info*, gint, gchar*, ...);
+typedef void (*addr_col_insert_fstr)(column_info*, gint, gchar*, ...);
 typedef void (*addr_col_add_str)(column_info*, gint, const gchar*);
 typedef void (*addr_col_append_str)(column_info*, gint, gchar*);
 typedef void (*addr_col_set_str)(column_info*, gint, gchar*);
@@ -214,6 +215,7 @@
 	addr_col_clear				p_col_clear;
 	addr_col_add_fstr			p_col_add_fstr;
 	addr_col_append_fstr			p_col_append_fstr;
+	addr_col_insert_fstr			p_col_insert_fstr;
 	addr_col_add_str			p_col_add_str;
 	addr_col_append_str			p_col_append_str;
 	addr_col_set_str			p_col_set_str;
Index: wiretap/acconfig.h
===================================================================
RCS file: /cvsroot/ethereal/wiretap/acconfig.h,v
retrieving revision 1.6
diff -u -r1.6 wiretap/acconfig.h
--- wiretap/acconfig.h	2001/11/13 23:55:42	1.6
+++ wiretap/acconfig.h	2001/12/30 04:49:40
@@ -24,3 +24,5 @@
 #undef PACKAGE
 
 #undef VERSION
+
+#undef HAVE_PFLOG
Index: wiretap/configure.in
===================================================================
RCS file: /cvsroot/ethereal/wiretap/configure.in,v
retrieving revision 1.31
diff -u -r1.31 wiretap/configure.in
--- wiretap/configure.in	2001/12/07 22:56:58	1.31
+++ wiretap/configure.in	2001/12/30 04:49:40
@@ -120,6 +120,16 @@
 AC_HEADER_STDC
 AC_CHECK_HEADERS(sys/time.h netinet/in.h unistd.h fcntl.h sys/stat.h sys/types.h)
 
+AC_CHECK_HEADERS(net/if_pflog.h net/pfvar.h)
+AC_MSG_CHECKING(whether to dissect pflog packets)
+if test "$ac_cv_header_net_if_pflog_h" = yes -a \
+   "$ac_cv_header_net_pfvar_h" = yes ; then
+  AC_MSG_RESULT(yes)
+  AC_DEFINE(HAVE_PFLOG)
+else
+  AC_MSG_RESULT(no)
+fi
+
 # We must know our byte order
 AC_C_BIGENDIAN
 
Index: wiretap/libpcap.c
===================================================================
RCS file: /cvsroot/ethereal/wiretap/libpcap.c,v
retrieving revision 1.62
diff -u -r1.62 wiretap/libpcap.c
--- wiretap/libpcap.c	2001/12/04 07:32:05	1.62
+++ wiretap/libpcap.c	2001/12/30 04:49:42
@@ -230,7 +230,13 @@
 	/*
 	 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
 	 * handle it.
+	 * It is also used as the PF (Packet Filter) logging format beginning
+	 * with OpenBSD 3.0.
+ 	 * Remove the '1' if we ever need to multiplex number 17
 	 */
+#if 1 || (defined(HAVE_PFLOG) && defined(DLT_PFLOG) && (DLT_PFLOG == 17))
+	{ 17,		WTAP_ENCAP_PFLOG },
+#endif
 
 	/*
 	 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
Index: wiretap/wtap.c
===================================================================
RCS file: /cvsroot/ethereal/wiretap/wtap.c,v
retrieving revision 1.58
diff -u -r1.58 wiretap/wtap.c
--- wiretap/wtap.c	2001/11/30 07:14:22	1.58
+++ wiretap/wtap.c	2001/12/30 04:49:43
@@ -133,6 +133,9 @@
 
 	/* WTAP_ENCAP_PRISM_HEADER */
 	{ "IEEE 802.11 plus Prism II monitor mode header", "prism" },
+
+	/* WTAP_ENCAP_PFLOG  */
+	{ "OpenBSD PF Firewall logs", "pflog" },
 };
 
 /* Name that should be somewhat descriptive. */
Index: wiretap/wtap.h
===================================================================
RCS file: /cvsroot/ethereal/wiretap/wtap.h,v
retrieving revision 1.99
diff -u -r1.99 wiretap/wtap.h
--- wiretap/wtap.h	2001/12/04 22:28:19	1.99
+++ wiretap/wtap.h	2001/12/30 04:49:44
@@ -101,9 +101,10 @@
 #define WTAP_ENCAP_CISCO_IOS			22
 #define WTAP_ENCAP_LOCALTALK			23
 #define WTAP_ENCAP_PRISM_HEADER			24
+#define WTAP_ENCAP_PFLOG			25
 
 /* last WTAP_ENCAP_ value + 1 */
-#define WTAP_NUM_ENCAP_TYPES			25
+#define WTAP_NUM_ENCAP_TYPES			26
 
 /* File types that can be read by wiretap.
    We support writing some many of these file types, too, so we
--- /dev/null	Sat Dec 29 22:49:45 2001
+++ packet-pflog.c	Sat Dec 29 22:36:06 2001
@@ -0,0 +1,212 @@
+/* packet-pflog.c
+ * Routines for pflog (OpenBSD Firewall Logging) packet disassembly
+ *
+ * $Id$
+ *
+ * Copyright 2001 Mike Frantzen
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *      with the distribution.
+ *          
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#include <glib.h>
+#include "packet.h"
+#include "etypes.h"
+#include "resolv.h"
+#include "packet-ip.h"
+#include "packet-ipv6.h"
+#include "packet-pflog.h"
+
+#ifndef offsetof
+/* Can't trust stddef.h to be there for us */
+# define offsetof(type, member) ((size_t)(&((type *)0)->member))
+#endif
+
+static dissector_handle_t  data_handle, ip_handle, ipv6_handle, pflog_handle;
+
+/* header fields */
+static int proto_pflog = -1;
+static int hf_pflog_af = -1;
+static int hf_pflog_ifname = -1;
+static int hf_pflog_rnr = -1;
+static int hf_pflog_reason = -1;
+static int hf_pflog_action = -1;
+static int hf_pflog_dir = -1;
+
+static gint ett_pflog = -1;
+
+static char *pf_reasons[PFRES_MAX+2] = PFRES_NAMES;
+
+
+void
+capture_pflog(const u_char *pd, int offset, int len, packet_counts *ld)
+{
+  struct pfloghdr pflogh;
+
+  if (!BYTES_ARE_IN_FRAME(offset, len, (int)PFLOG_HDRLEN)) {
+    ld->other++;
+    return;
+  }
+
+  offset += PFLOG_HDRLEN;
+  
+  /* Copy out the pflog header to insure alignment */
+  memcpy(&pflogh, pd, sizeof(pflogh));
+  NTOHL(pflogh.af);
+
+  if (pflogh.af == PF_INET)
+    capture_ip(pd, offset, len, ld);
+#ifdef notyet
+  else if (pflogh.af == PF_INET6)
+    capture_ipv6(pd, offset, len, ld);
+#endif
+  else
+    ld->other++;
+}
+
+static void
+dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  struct pfloghdr pflogh;
+  tvbuff_t *next_tvb;
+  proto_tree *pflog_tree;
+  proto_item *ti, *tf;
+  char *why;
+
+  if (check_col(pinfo->cinfo, COL_PROTOCOL))
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "pflog");
+
+  /* Copy out the pflog header to insure alignment */
+  tvb_memcpy(tvb, (guint8 *)&pflogh, 0, sizeof(pflogh));
+
+  /* Byteswap the header now */
+  NTOHL(pflogh.af);
+  NTOHS(pflogh.rnr);
+  NTOHS(pflogh.reason);
+  NTOHS(pflogh.action);
+  NTOHS(pflogh.dir);
+
+  why = (pflogh.reason < PFRES_MAX) ? pf_reasons[pflogh.reason] : "unkn";
+
+  if (tree) {
+    ti = proto_tree_add_protocol_format(tree, proto_pflog, tvb, 0,
+             PFLOG_HDRLEN,
+             "PF Log %s %s on %s by rule %d", pflogh.af == PF_INET ? "IPv4" :
+             pflogh.af == PF_INET6 ? "IPv6" : "unkn",
+             pflogh.action == PF_PASS  ? "passed" :
+             pflogh.action == PF_DROP  ? "dropped" :
+             pflogh.action == PF_SCRUB ? "scrubbed" : "unkn",
+             pflogh.ifname,
+             pflogh.rnr);
+    pflog_tree = proto_item_add_subtree(ti, ett_pflog);
+
+    tf = proto_tree_add_uint_format(pflog_tree, hf_pflog_rnr, tvb,
+             offsetof(struct pfloghdr, rnr), sizeof(pflogh.rnr),
+             pflogh.rnr, "Rule Number: %d", pflogh.rnr);
+    tf = proto_tree_add_string(pflog_tree, hf_pflog_ifname, tvb,
+             offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
+             pflogh.ifname);
+    tf = proto_tree_add_string(pflog_tree, hf_pflog_reason, tvb,
+             offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
+             why);
+    tf = proto_tree_add_string(pflog_tree, hf_pflog_action, tvb,
+             offsetof(struct pfloghdr, action), sizeof(pflogh.action),
+             pflogh.action == PF_PASS  ? "pass" :
+             pflogh.action == PF_DROP  ? "drop" :
+             pflogh.action == PF_SCRUB ? "scrub" : "unkn");
+    tf = proto_tree_add_string(pflog_tree, hf_pflog_dir, tvb,
+             offsetof(struct pfloghdr, dir), sizeof(pflogh.dir),
+             pflogh.dir == PF_IN ? "in" : "out");
+  }
+
+  /* Set the tvbuff for the payload after the header */
+  next_tvb = tvb_new_subset(tvb, PFLOG_HDRLEN, -1, -1);
+
+  pinfo->ethertype = (hf_pflog_af == PF_INET) ? ETHERTYPE_IP : ETHERTYPE_IPv6;
+  if (pflogh.af == PF_INET)
+    call_dissector(ip_handle, next_tvb, pinfo, tree);
+  else if (pflogh.af == PF_INET6)
+    call_dissector(ipv6_handle, next_tvb, pinfo, tree);
+  else
+    call_dissector(data_handle, next_tvb, pinfo, tree);
+
+  if (check_col(pinfo->cinfo, COL_INFO)) {
+    col_insert_fstr(pinfo->cinfo, COL_INFO, "[%s %s/#%d] ",
+        pflogh.action == PF_PASS  ? "passed" :
+        pflogh.action == PF_DROP  ? "dropped" :
+        pflogh.action == PF_SCRUB ? "scrubbed" : "unkn",
+        pflogh.ifname,
+        pflogh.rnr);
+  }
+}
+
+void
+proto_register_pflog(void)
+{
+  static hf_register_info hf[] = {
+    { &hf_pflog_af,
+      { "Address Family", "pflog.af", FT_UINT32, BASE_DEC, NULL, 0x0,
+        "Protocol (IPv4 vs IPv6)", HFILL }},
+    { &hf_pflog_ifname,
+      { "Interface", "pflog.ifname", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Interface", HFILL }},
+    { &hf_pflog_rnr,
+      { "Rule Number", "pflog.rnr", FT_UINT16, BASE_DEC, NULL, 0x0,
+        "Last matched firewall rule number", HFILL }},
+    { &hf_pflog_reason,
+      { "Reason", "pflog.reason", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Reason for logging the packet", HFILL }},
+    { &hf_pflog_action,
+      { "Action", "pflog.action", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Action taken by PF on the packet", HFILL }},
+    { &hf_pflog_dir,
+      { "Direction", "pflog.dir", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Direction of packet in stack (inbound versus outbound)", HFILL }},
+  };
+  static gint *ett[] = { &ett_pflog };
+
+  proto_pflog = proto_register_protocol("pflog", "pflog", "pflog");
+  proto_register_field_array(proto_pflog, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+  register_dissector("pflog", dissect_pflog, proto_pflog);
+}
+
+void
+proto_reg_handoff_pflog(void)
+{
+  dissector_handle_t pflog_handle;
+
+  pflog_handle = find_dissector("pflog");
+  ip_handle = find_dissector("ip");
+  ipv6_handle = find_dissector("ipv6");
+  data_handle = find_dissector("data");
+  dissector_add("wtap_encap", WTAP_ENCAP_PFLOG, pflog_handle);
+}
--- /dev/null	Sat Dec 29 22:49:45 2001
+++ packet-pflog.h	Sat Dec 29 22:33:39 2001
@@ -0,0 +1,100 @@
+/* packet-pflog.h
+ *
+ * $Id$
+ *
+ * Copyright 2001 Mike Frantzen
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __PACKET_PFLOG_H__
+#define __PACKET_PFLOG_H__
+
+#if defined(HAVE_PFLOG)
+/* We're on an OpenBSD machine */
+# include <sys/param.h>
+# include <sys/time.h>
+# include <sys/socket.h>
+
+# include <net/if.h>
+# include <net/if_pflog.h>
+
+# include <net/pfvar.h>
+
+# define PF_INET        AF_INET
+# define PF_INET6       AF_INET6
+
+#else
+/* Bah.  Fake the header */
+
+struct pfloghdr {
+  guint32       af;
+  char          ifname[16];
+  gint16        rnr;
+  guint16       reason;
+  guint16       action;
+  guint16       dir;
+};
+#define PFLOG_HDRLEN    sizeof(struct pfloghdr)
+
+/* Named reasons */
+#define PFRES_NAMES  { \
+  "match", \
+  "bad-offset", \
+  "fragment", \
+  "short", \
+  "normalize", \
+  "memory", \
+  NULL \
+}
+#define PFRES_MAX 6
+
+/* Actions */
+#define PF_PASS  0
+#define PF_DROP  1
+#define PF_SCRUB 2
+
+/* Directions */
+#define PF_IN  0
+#define PF_OUT 1
+
+/* BSDisms */
+#ifndef NTOHL
+# define NTOHL(x)       x = ntohl(x)
+#endif
+#ifndef NTOHS
+# define NTONS(x)       x = ntohs(x)
+#endif
+#ifndef HTONL
+# define HTONL(x)       x = htonl(x)
+#endif
+#ifndef HTONS
+# define HTONS(x)       x = htons(x)
+#endif
+
+# define PF_INET        2
+# define PF_INET6       24
+
+#endif
+
+#endif /* __PACKET_PFLOG_H__ */
Follow-Ups:
- Re: [Ethereal-dev] diff to grok openbsd firewall logs
  - From: Guy Harris
Prev by Date: Re: [Ethereal-dev] small update for ypbind
Next by Date: Re: [Ethereal-dev] A small patch to gtk/dfilter_expr_dlg.c
Previous by thread: Re: [Ethereal-dev] small update for ypbind
Next by thread: Re: [Ethereal-dev] diff to grok openbsd firewall logs
Index(es):
- Date
- Thread
Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application
$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$