On Sat, Dec 29, 2001 at 10:59:54PM -0600, Mike Frantzen wrote:
> It also adds col_insert_fstr() so the dissector can prepend the firewall
> rule action, the applied rule number and the interface to the
> info column.
Perhaps "col_prepend_fstr()" would be a better name, along the lines of
"col_append_fstr()"? The string could be "inserted" anywhere in the
column, so "col_insert_fstr()" doesn't imply "at the beginning" to me.
> Index: wiretap/libpcap.c
> ===================================================================
> RCS file: /cvsroot/ethereal/wiretap/libpcap.c,v
> retrieving revision 1.62
> diff -u -r1.62 wiretap/libpcap.c
> --- wiretap/libpcap.c 2001/12/04 07:32:05 1.62
> +++ wiretap/libpcap.c 2001/12/30 04:49:42
> @@ -230,7 +230,13 @@
> /*
> * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
> * handle it.
> + * It is also used as the PF (Packet Filter) logging format beginning
> + * with OpenBSD 3.0.
...but libpcap 0.7 beta reserves 117, not 17, for it (in order to avoid
the collision in question).
It'd be a Good Idea if OpenBSD used 117 rather than 17 as well.
> --- /dev/null Sat Dec 29 22:49:45 2001
> +++ packet-pflog.h Sat Dec 29 22:33:39 2001
> @@ -0,0 +1,100 @@
...
> +#if defined(HAVE_PFLOG)
> +/* We're on an OpenBSD machine */
> +# include <sys/param.h>
> +# include <sys/time.h>
> +# include <sys/socket.h>
> +
> +# include <net/if.h>
> +# include <net/if_pflog.h>
> +
> +# include <net/pfvar.h>
> +
> +# define PF_INET AF_INET
> +# define PF_INET6 AF_INET6
> +
> +#else
> +/* Bah. Fake the header */
> +
> +struct pfloghdr {
> + guint32 af;
> + char ifname[16];
> + gint16 rnr;
> + guint16 reason;
> + guint16 action;
> + guint16 dir;
> +};
> +#define PFLOG_HDRLEN sizeof(struct pfloghdr)
You should probably just unconditionally fake the header. Capture file
format shouldn't depend on, or be defined solely by, header files on a
particular OS.
