From: K R <daharmasterkor@gmail.com>
Subject: bug: ngrep can't read OpenBSD pflog files
To: ports@openbsd.org
Date: Mon, 24 Jun 2024 17:39:20 -0300

>Synopsis:      ngrep can't read OpenBSD pflog files
>Category:      ports amd64

>Environment:
        System      : OpenBSD 7.5
        Details     : OpenBSD 7.5-current (GENERIC) #146: Sun Jun 23
21:58:39 MDT 2024

deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

        Architecture: OpenBSD.amd64
        Machine     : amd64

>Description:
        tcpdump works as expected:

        vm# tcpdump -nlq -r /var/log/pflog -c 1
        18:38:59.703428 fd00::1.32597 > fd00::2.12345: tcp 0 [class 0x10]
        [flowlabel 0x9608d]

        But ngrep won't read OpenBSD pflog files correctly, including
        timestamps:

        vm# ngrep -q -t -I /var/log/pflog -n 1
        input: /var/log/pflog
        filter: (ip || ip6)

        ? 95740049/05/04 19:23:47.703428 P$.N.| ->  #1
          ........._.......................................U09a.`..,.@...............
          ..................U096#.r......@.3e..

>How-To-Repeat:
        ngrep -q -t I /var/log/pflog

>Fix:
        Please have a look at the patch files attached, they seem to
        fix the problem.

Thanks,
--Kor