The PF firewall offers a facility called pflog which allows users to define traffic which will be logged to a file that matches certain rules. This traffic is written to the file in tcpdump format, so it should be readable with this program, however the pflog program inserts a new header into each logged packet which states the firewall rule matched and the action (pass/block) taken on the packet. This appears to be causing problems with the parsing that Network Miner performs on the packet as it only lists the traffic under the "Frames" tab and declares the packet to be of unknown type. This format is currently parsed by Wireshark, so it should be feasible to implement here. The fact that this new header makes the entire packet fail to be analyzed might suggest that the parsing code could use a review in order to allow it to continue to parse subsequent known header types after failing to recognize one of the headers (in fact this would be an acceptable alternative to actually parsing the PFlog header, in my case).
Log in to post a comment.