thanks, I've committed a tweaked version (using the size from the system
header rather than a fixed value).

On 2024/06/24 17:39, K R wrote:
> >Synopsis:      ngrep can't read OpenBSD pflog files
> >Category:      ports amd64
> 
> >Environment:
>         System      : OpenBSD 7.5
>         Details     : OpenBSD 7.5-current (GENERIC) #146: Sun Jun 23
> 21:58:39 MDT 2024
> 
> deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> 
>         Architecture: OpenBSD.amd64
>         Machine     : amd64
> 
> >Description:
>         tcpdump works as expected:
> 
>         vm# tcpdump -nlq -r /var/log/pflog -c 1
>         18:38:59.703428 fd00::1.32597 > fd00::2.12345: tcp 0 [class 0x10]
>         [flowlabel 0x9608d]
> 
>         But ngrep won't read OpenBSD pflog files correctly, including
>         timestamps:
> 
>         vm# ngrep -q -t -I /var/log/pflog -n 1
>         input: /var/log/pflog
>         filter: (ip || ip6)
> 
>         ? 95740049/05/04 19:23:47.703428 P$.N.| ->  #1
>           ........._.......................................U09a.`..,.@...............
>           ..................U096#.r......@.3e..
> 
> >How-To-Repeat:
>         ngrep -q -t I /var/log/pflog
> 
> >Fix:
>         Please have a look at the patch files attached, they seem to
>         fix the problem.
> 
> Thanks,
> --Kor