Different Behaviour - 32bit vs 64bit - tcpdump pflog0



  • First of all let me thank the Developers and the Community for this great piece of Software and People behind it.
    I have been using pfsense professionally and at home for quite a while now and stumbeld upon a strange behaviour during inital testing of Version 2.3.x

    Bear with me a second as I try to explain:

    Starting point:
    2 Fresh and New installed pfsense boxes - One with 32bit Full Image and one with the 64bit Full Image.

    Using the command: tcpdump -s 1518 -l -n -v -e -i pflog0

    ############################################################################################################################################
    The 32bit Version Output:
    [2.3.1-RELEASE][root@pfSense32.localdomain]/root: uname -ar
    FreeBSD pfSense32.localdomain 10.3-RELEASE-p3 FreeBSD 10.3-RELEASE-p3 #1 3ef16fb(RELENG_2_3_1): Tue May 17 19:34:28 CDT 2016    root@ce23-i386-builder:/builder/pfsense-231/tmp/obj/builder/pfsense-231/tmp/FreeBSD-src/sys/pfSense  i386

    [2.3.1-RELEASE][root@pfSense32.localdomain]/root: tcpdump -s 1518 -l -n -v -e -i pflog0
    tcpdump: WARNING: pflog0: no IPv4 address assigned
    tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 1518 bytes
    10:26:42.186010 rule 5..16777216/0(match): block in on em1: (tos 0x0, ttl 128, id 3551, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.53.1 > 192.168.53.32: ICMP echo request, id 1, seq 1394, length 40

    ############################################################################################################################################
    The 64bit Version Output:
    –-
    [2.3.1-RELEASE][root@pfSense64.localdomain]/root: uname -ar
    FreeBSD pfSense64.localdomain 10.3-RELEASE-p3 FreeBSD 10.3-RELEASE-p3 #1 3ef16fb(RELENG_2_3_1): Tue May 17 19:34:13 CDT 2016    root@ce23-amd64-builder:/builder/pfsense-231/tmp/obj/builder/pfsense-231/tmp/FreeBSD-src/sys/pfSense  amd64

    [2.3.1-RELEASE][root@pfSense64.localdomain]/root: tcpdump -s 1518 -l -n -v -e -i pflog0
    tcpdump: WARNING: pflog0: no IPv4 address assigned
    tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 1518 bytes
    10:26:23.825680 rule 5..16777216/0(match): block in on em1: IP0 bad-len 0

    ############################################################################################################################################

    As you can see, the 32bit Version outputs nicely the Source and Destination IP and all the details, as for the 64bit Version it only output the matching RuleID and the action on the interface - no Source or Destination IP and no other Details - only bad-len or sometimes bad-hlen.

    The Only difference is the Architecture, I have also tried and verified it on several other Installations and Hardware - always with the same conclusion.

    My Google-Fu only came up with this old Bug, which is the closest relation to the issue I could find (https://redmine.pfsense.org/issues/3648).

    This is not life threatening, but I sure find it odd behaviour and looking for a solution or fix.

    Many thanks for reading sofar along and providing any kind of Feedback.
    Best wishes
    mbsig2016


  • Rebel Alliance Developer Netgate

    As I asked on the other thread but never saw an answer for: Why are you using tcpdump on pflog directly? That isn't how you watch for log messages on 2.2 or 2.3.


Log in to reply