From Can Erkin Acar: OpenBSD is now using tcpdump.org-assigned DLT_

value for DLT_PFLOG, and that goes along with a change to the link-layer
header for DLT_PFLOG - support both the old and new values and format.

svn path=/trunk/; revision=7676

7 files changed, 321 insertions, 56 deletions

diff --git a/AUTHORS b/AUTHORS
index 6daab455bc..8ff29d566d 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -1696,6 +1696,10 @@ Mark C. Brown <mbrown [AT] nosila.net> {
 	Improvements to code that reads HP-UX nettl files
 }
 
+Can Erkin Acar <canacar [AT] eee.metu.edu.tr> {
+	Support for new DLT_PFLOG format
+}
+
 And assorted fixes and enhancements by the people listed above and by:
 
 	Pavel Roskin <proski [AT] gnu.org>
diff --git a/doc/ethereal.pod.template b/doc/ethereal.pod.template
index 5e5fd5d771..8b7381abc2 100644
--- a/doc/ethereal.pod.template
+++ b/doc/ethereal.pod.template
@@ -1761,6 +1761,7 @@ B<http://www.ethereal.com>.
   Matthijs Melchior        <mmelchior [AT] xs4all.nl>
   Garth Bushell            <gbushell [AT] elipsan.com>
   Mark C. Brown            <mbrown [AT] nosila.net>
+  Can Erkin Acar           <canacar [AT] eee.metu.edu.tr>
   Pavel Roskin             <proski [AT] gnu.org>
   Georgi Guninski          <guninski [AT] guninski.com>
   Jason Copenhaver         <jcopenha [AT] typedef.org>
diff --git a/packet-pflog.c b/packet-pflog.c
index 1bfe3c0243..b1b67628b9 100644
--- a/packet-pflog.c
+++ b/packet-pflog.c
@@ -1,7 +1,7 @@
 /* packet-pflog.c
  * Routines for pflog (OpenBSD Firewall Logging) packet disassembly
  *
- * $Id: packet-pflog.c,v 1.7 2002/08/28 21:00:25 jmayer Exp $
+ * $Id: packet-pflog.c,v 1.8 2003/05/15 07:14:44 guy Exp $
  *
  * Copyright 2001 Mike Frantzen
  * All rights reserved.
@@ -46,36 +46,63 @@
 # define offsetof(type, member) ((size_t)(&((type *)0)->member))
 #endif
 
+#ifndef BPF_WORDALIGN
+#define BPF_ALIGNMENT sizeof(long)
+#define BPF_WORDALIGN(x) (((x) + (BPF_ALIGNMENT - 1)) & ~(BPF_ALIGNMENT - 1))
+#endif
+
 static dissector_handle_t  data_handle, ip_handle, ipv6_handle;
 
 /* header fields */
 static int proto_pflog = -1;
+static int hf_pflog_length = -1;
 static int hf_pflog_af = -1;
-static int hf_pflog_ifname = -1;
-static int hf_pflog_rnr = -1;
-static int hf_pflog_reason = -1;
 static int hf_pflog_action = -1;
+static int hf_pflog_reason = -1;
+static int hf_pflog_ifname = -1;
+static int hf_pflog_ruleset = -1;
+static int hf_pflog_rulenr = -1;
+static int hf_pflog_subrulenr = -1;
 static int hf_pflog_dir = -1;
 
 static gint ett_pflog = -1;
 
+/* old header */
+static int proto_old_pflog = -1;
+static int hf_old_pflog_af = -1;
+static int hf_old_pflog_ifname = -1;
+static int hf_old_pflog_rnr = -1;
+static int hf_old_pflog_reason = -1;
+static int hf_old_pflog_action = -1;
+static int hf_old_pflog_dir = -1;
+
+static gint ett_old_pflog = -1;
+
 void
 capture_pflog(const guchar *pd, int offset, int len, packet_counts *ld)
 {
-  struct pfloghdr pflogh;
+  struct pfloghdr *pflogh;
+  unsigned int hdrlen;
 
-  if (!BYTES_ARE_IN_FRAME(offset, len, (int)PFLOG_HDRLEN)) {
+  pflogh = (struct pfloghdr *)pd;
+
+  if (!BYTES_ARE_IN_FRAME(offset, len, sizeof(guint8))) {
     ld->other++;
     return;
   }
 
-  offset += PFLOG_HDRLEN;
-
-  /* Copy out the pflog header to insure alignment */
-  memcpy(&pflogh, pd, sizeof(pflogh));
-  pflogh.af = g_ntohl(pflogh.af);
+  if (pflogh->length < MIN_PFLOG_HDRLEN) {
+    ld->other++;
+    return;
+  }
+  hdrlen = BPF_WORDALIGN(pflogh->length);
+  if (!BYTES_ARE_IN_FRAME(offset, hdrlen, sizeof(guint8))) {
+    ld->other++;
+    return;
+  }
+  offset += hdrlen;
 
-  switch (pflogh.af) {
+  switch (pflogh->af) {
 
   case BSD_PF_INET:
     capture_ip(pd, offset, len, ld);
@@ -116,19 +143,29 @@ static const value_string action_vals[] = {
   { 0,        NULL }
 };
 
+static const value_string old_dir_vals[] = {
+  { PF_OLD_IN,  "in" },
+  { PF_OLD_OUT, "out" },
+  { 0,          NULL }
+};
+
 static const value_string dir_vals[] = {
-  { PF_IN,  "in" },
-  { PF_OUT, "out" },
-  { 0,      NULL }
+  { PF_INOUT, "inout" },
+  { PF_IN,    "in" },
+  { PF_OUT,   "out" },
+  { 0,        NULL }
 };
 
 static void
 dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 {
+#define MAX_RULE_STR 128
   struct pfloghdr pflogh;
+  static char rulestr[MAX_RULE_STR];
   tvbuff_t *next_tvb;
   proto_tree *pflog_tree;
   proto_item *ti;
+  int hdrlen;
 
   if (check_col(pinfo->cinfo, COL_PROTOCOL))
     col_set_str(pinfo->cinfo, COL_PROTOCOL, "PFLOG");
@@ -137,44 +174,71 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
   tvb_memcpy(tvb, (guint8 *)&pflogh, 0, sizeof(pflogh));
 
   /* Byteswap the header now */
-  pflogh.af = g_ntohl(pflogh.af);
-  pflogh.rnr = g_ntohs(pflogh.rnr);
-  pflogh.reason = g_ntohs(pflogh.reason);
-  pflogh.action = g_ntohs(pflogh.action);
-  pflogh.dir = g_ntohs(pflogh.dir);
+  pflogh.rulenr = g_ntohl(pflogh.rulenr);
+  pflogh.subrulenr = g_ntohl(pflogh.subrulenr);
+
+  hdrlen = BPF_WORDALIGN(pflogh.length);
+
+  if (pflogh.subrulenr == (u_int32_t) -1)
+    snprintf(rulestr, sizeof(rulestr), "%u",
+             pflogh.rulenr);
+  else
+    snprintf(rulestr, sizeof(rulestr), "%u.%s.%u",
+             pflogh.rulenr, pflogh.ruleset, pflogh.subrulenr);
+
+  if (hdrlen < MIN_PFLOG_HDRLEN) {
+    if (tree) {
+      ti = proto_tree_add_protocol_format(tree, proto_pflog, tvb, 0,
+               hdrlen, "PF Log invalid header length (%u)", hdrlen);
+    }
+    if (check_col(pinfo->cinfo, COL_INFO)) {
+      col_prepend_fstr(pinfo->cinfo, COL_INFO, "Invalid header length %u",
+          hdrlen);
+    }
+    return;
+  }
 
   if (tree) {
     ti = proto_tree_add_protocol_format(tree, proto_pflog, tvb, 0,
-             PFLOG_HDRLEN,
-             "PF Log %s %s on %s by rule %d",
+             hdrlen,
+             "PF Log %s %s on %s by rule %s",
              val_to_str(pflogh.af, af_vals, "unknown (%u)"),
              val_to_str(pflogh.action, action_vals, "unknown (%u)"),
              pflogh.ifname,
-             pflogh.rnr);
+             rulestr);
     pflog_tree = proto_item_add_subtree(ti, ett_pflog);
 
+    proto_tree_add_uint(pflog_tree, hf_pflog_length, tvb,
+             offsetof(struct pfloghdr, length), sizeof(pflogh.length),
+             pflogh.length);
     proto_tree_add_uint(pflog_tree, hf_pflog_af, tvb,
              offsetof(struct pfloghdr, af), sizeof(pflogh.af),
              pflogh.af);
-    proto_tree_add_int(pflog_tree, hf_pflog_rnr, tvb,
-             offsetof(struct pfloghdr, rnr), sizeof(pflogh.rnr),
-             pflogh.rnr);
-    proto_tree_add_string(pflog_tree, hf_pflog_ifname, tvb,
-             offsetof(struct pfloghdr, ifname), sizeof(pflogh.ifname),
-             pflogh.ifname);
-    proto_tree_add_uint(pflog_tree, hf_pflog_reason, tvb,
-             offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
-             pflogh.reason);
     proto_tree_add_uint(pflog_tree, hf_pflog_action, tvb,
              offsetof(struct pfloghdr, action), sizeof(pflogh.action),
              pflogh.action);
+    proto_tree_add_uint(pflog_tree, hf_pflog_reason, tvb,
+             offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
+             pflogh.reason);
+    proto_tree_add_string(pflog_tree, hf_pflog_ifname, tvb,
+             offsetof(struct pfloghdr, ifname), sizeof(pflogh.ifname),
+             pflogh.ifname);
+    proto_tree_add_string(pflog_tree, hf_pflog_ruleset, tvb,
+             offsetof(struct pfloghdr, ruleset), sizeof(pflogh.ruleset),
+             pflogh.ruleset);
+    proto_tree_add_int(pflog_tree, hf_pflog_rulenr, tvb,
+             offsetof(struct pfloghdr, rulenr), sizeof(pflogh.rulenr),
+             pflogh.rulenr);
+    proto_tree_add_int(pflog_tree, hf_pflog_subrulenr, tvb,
+             offsetof(struct pfloghdr, subrulenr), sizeof(pflogh.subrulenr),
+             pflogh.subrulenr);
     proto_tree_add_uint(pflog_tree, hf_pflog_dir, tvb,
              offsetof(struct pfloghdr, dir), sizeof(pflogh.dir),
              pflogh.dir);
   }
 
   /* Set the tvbuff for the payload after the header */
-  next_tvb = tvb_new_subset(tvb, PFLOG_HDRLEN, -1, -1);
+  next_tvb = tvb_new_subset(tvb, hdrlen, -1, -1);
 
   switch (pflogh.af) {
 
@@ -192,10 +256,10 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
   }
 
   if (check_col(pinfo->cinfo, COL_INFO)) {
-    col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/#%d] ",
+    col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/%s] ",
         val_to_str(pflogh.action, action_vals, "unknown (%u)"),
         pflogh.ifname,
-        pflogh.rnr);
+        rulestr);
   }
 }
 
@@ -203,23 +267,32 @@ void
 proto_register_pflog(void)
 {
   static hf_register_info hf[] = {
+    { &hf_pflog_length,
+      { "Header Length", "pflog.length", FT_UINT8, BASE_DEC, NULL, 0x0,
+        "Length of Header", HFILL }},
     { &hf_pflog_af,
       { "Address Family", "pflog.af", FT_UINT32, BASE_DEC, VALS(af_vals), 0x0,
         "Protocol (IPv4 vs IPv6)", HFILL }},
+    { &hf_pflog_action,
+      { "Action", "pflog.action", FT_UINT8, BASE_DEC, VALS(action_vals), 0x0,
+        "Action taken by PF on the packet", HFILL }},
+    { &hf_pflog_reason,
+      { "Reason", "pflog.reason", FT_UINT8, BASE_DEC, VALS(reason_vals), 0x0,
+        "Reason for logging the packet", HFILL }},
     { &hf_pflog_ifname,
       { "Interface", "pflog.ifname", FT_STRING, BASE_NONE, NULL, 0x0,
         "Interface", HFILL }},
-    { &hf_pflog_rnr,
-      { "Rule Number", "pflog.rnr", FT_INT16, BASE_DEC, NULL, 0x0,
-        "Last matched firewall rule number", HFILL }},
-    { &hf_pflog_reason,
-      { "Reason", "pflog.reason", FT_UINT16, BASE_DEC, VALS(reason_vals), 0x0,
-        "Reason for logging the packet", HFILL }},
-    { &hf_pflog_action,
-      { "Action", "pflog.action", FT_UINT16, BASE_DEC, VALS(action_vals), 0x0,
-        "Action taken by PF on the packet", HFILL }},
+    { &hf_pflog_ruleset,
+      { "Ruleset", "pflog.ruleset", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Ruleset name in anchor", HFILL }},
+    { &hf_pflog_rulenr,
+      { "Rule Number", "pflog.rulenr", FT_INT32, BASE_DEC, NULL, 0x0,
+        "Last matched firewall main ruleset rule number", HFILL }},
+    { &hf_pflog_subrulenr,
+      { "Sub Rule Number", "pflog.subrulenr", FT_INT32, BASE_DEC, NULL, 0x0,
+        "Last matched firewall anchored ruleset rule number", HFILL }},
     { &hf_pflog_dir,
-      { "Direction", "pflog.dir", FT_UINT16, BASE_DEC, VALS(dir_vals), 0x0,
+      { "Direction", "pflog.dir", FT_UINT8, BASE_DEC, VALS(dir_vals), 0x0,
         "Direction of packet in stack (inbound versus outbound)", HFILL }},
   };
   static gint *ett[] = { &ett_pflog };
@@ -242,3 +315,161 @@ proto_reg_handoff_pflog(void)
   pflog_handle = create_dissector_handle(dissect_pflog, proto_pflog);
   dissector_add("wtap_encap", WTAP_ENCAP_PFLOG, pflog_handle);
 }
+
+
+void
+capture_old_pflog(const guchar *pd, int offset, int len, packet_counts *ld)
+{
+  struct old_pfloghdr pflogh;
+
+  if (!BYTES_ARE_IN_FRAME(offset, len, (int)OLD_PFLOG_HDRLEN)) {
+    ld->other++;
+    return;
+  }
+
+  offset += OLD_PFLOG_HDRLEN;
+
+  /* Copy out the pflog header to insure alignment */
+  memcpy(&pflogh, pd, sizeof(pflogh));
+  pflogh.af = g_ntohl(pflogh.af);
+
+  switch (pflogh.af) {
+
+  case BSD_PF_INET:
+    capture_ip(pd, offset, len, ld);
+    break;
+
+#ifdef notyet
+  case BSD_PF_INET6:
+    capture_ipv6(pd, offset, len, ld);
+    break;
+#endif
+
+  default:
+    ld->other++;
+    break;
+  }
+}
+
+static void
+dissect_old_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  struct old_pfloghdr pflogh;
+  tvbuff_t *next_tvb;
+  proto_tree *pflog_tree;
+  proto_item *ti;
+
+  if (check_col(pinfo->cinfo, COL_PROTOCOL))
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "PFLOG-OLD");
+
+  /* Copy out the pflog header to insure alignment */
+  tvb_memcpy(tvb, (guint8 *)&pflogh, 0, sizeof(pflogh));
+
+  /* Byteswap the header now */
+  pflogh.af = g_ntohl(pflogh.af);
+  pflogh.rnr = g_ntohs(pflogh.rnr);
+  pflogh.reason = g_ntohs(pflogh.reason);
+  pflogh.action = g_ntohs(pflogh.action);
+  pflogh.dir = g_ntohs(pflogh.dir);
+
+  if (tree) {
+    ti = proto_tree_add_protocol_format(tree, proto_old_pflog, tvb, 0,
+             OLD_PFLOG_HDRLEN,
+             "PF Log (pre 3.4) %s %s on %s by rule %d",
+             val_to_str(pflogh.af, af_vals, "unknown (%u)"),
+             val_to_str(pflogh.action, action_vals, "unknown (%u)"),
+             pflogh.ifname,
+             pflogh.rnr);
+    pflog_tree = proto_item_add_subtree(ti, ett_pflog);
+
+    proto_tree_add_uint(pflog_tree, hf_old_pflog_af, tvb,
+             offsetof(struct old_pfloghdr, af), sizeof(pflogh.af),
+             pflogh.af);
+    proto_tree_add_int(pflog_tree, hf_old_pflog_rnr, tvb,
+             offsetof(struct old_pfloghdr, rnr), sizeof(pflogh.rnr),
+             pflogh.rnr);
+    proto_tree_add_string(pflog_tree, hf_old_pflog_ifname, tvb,
+             offsetof(struct old_pfloghdr, ifname), sizeof(pflogh.ifname),
+             pflogh.ifname);
+    proto_tree_add_uint(pflog_tree, hf_old_pflog_reason, tvb,
+             offsetof(struct old_pfloghdr, reason), sizeof(pflogh.reason),
+             pflogh.reason);
+    proto_tree_add_uint(pflog_tree, hf_old_pflog_action, tvb,
+             offsetof(struct old_pfloghdr, action), sizeof(pflogh.action),
+             pflogh.action);
+    proto_tree_add_uint(pflog_tree, hf_old_pflog_dir, tvb,
+             offsetof(struct old_pfloghdr, dir), sizeof(pflogh.dir),
+             pflogh.dir);
+  }
+
+  /* Set the tvbuff for the payload after the header */
+  next_tvb = tvb_new_subset(tvb, OLD_PFLOG_HDRLEN, -1, -1);
+
+  switch (pflogh.af) {
+
+  case BSD_PF_INET:
+    call_dissector(ip_handle, next_tvb, pinfo, tree);
+    break;
+
+  case BSD_PF_INET6:
+    call_dissector(ipv6_handle, next_tvb, pinfo, tree);
+    break;
+
+  default:
+    call_dissector(data_handle, next_tvb, pinfo, tree);
+    break;
+  }
+
+  if (check_col(pinfo->cinfo, COL_INFO)) {
+    col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/#%d] ",
+        val_to_str(pflogh.action, action_vals, "unknown (%u)"),
+        pflogh.ifname,
+        pflogh.rnr);
+  }
+}
+
+void
+proto_register_old_pflog(void)
+{
+  static hf_register_info hf[] = {
+    { &hf_old_pflog_af,
+      { "Address Family", "pflog.af", FT_UINT32, BASE_DEC, VALS(af_vals), 0x0,
+        "Protocol (IPv4 vs IPv6)", HFILL }},
+    { &hf_old_pflog_ifname,
+      { "Interface", "pflog.ifname", FT_STRING, BASE_NONE, NULL, 0x0,
+        "Interface", HFILL }},
+    { &hf_old_pflog_rnr,
+      { "Rule Number", "pflog.rnr", FT_INT16, BASE_DEC, NULL, 0x0,
+        "Last matched firewall rule number", HFILL }},
+    { &hf_old_pflog_reason,
+      { "Reason", "pflog.reason", FT_UINT16, BASE_DEC, VALS(reason_vals), 0x0,
+        "Reason for logging the packet", HFILL }},
+    { &hf_old_pflog_action,
+      { "Action", "pflog.action", FT_UINT16, BASE_DEC, VALS(action_vals), 0x0,
+        "Action taken by PF on the packet", HFILL }},
+    { &hf_old_pflog_dir,
+      { "Direction", "pflog.dir", FT_UINT16, BASE_DEC, VALS(old_dir_vals), 0x0,
+        "Direction of packet in stack (inbound versus outbound)", HFILL }},
+  };
+  static gint *ett[] = { &ett_old_pflog };
+
+  proto_old_pflog = proto_register_protocol(
+	  "OpenBSD Packet Filter log file, pre 3.4",
+	  "PFLOG-OLD", "pflog-old");
+  proto_register_field_array(proto_old_pflog, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+}
+
+void
+proto_reg_handoff_old_pflog(void)
+{
+  dissector_handle_t pflog_handle;
+
+  ip_handle = find_dissector("ip");
+  ipv6_handle = find_dissector("ipv6");
+  data_handle = find_dissector("data");
+
+  pflog_handle = create_dissector_handle(dissect_old_pflog, proto_old_pflog);
+  dissector_add("wtap_encap", WTAP_ENCAP_OLD_PFLOG, pflog_handle);
+}
+
diff --git a/packet-pflog.h b/packet-pflog.h
index 9d3b7f4d75..eed417a0b6 100644
--- a/packet-pflog.h
+++ b/packet-pflog.h
@@ -1,6 +1,6 @@
 /* packet-pflog.h
  *
- * $Id: packet-pflog.h,v 1.4 2002/07/15 20:55:51 guy Exp $
+ * $Id: packet-pflog.h,v 1.5 2003/05/15 07:14:45 guy Exp $
  *
  * Copyright 2001 Mike Frantzen
  * All rights reserved.
@@ -33,6 +33,24 @@
 /* The header in OpenBSD pflog files. */
 
 struct pfloghdr {
+	guchar	length;
+	guchar	af;
+	guchar	action;
+	guchar	reason;
+	char	ifname[16];
+	char	ruleset[16];
+	guint32	rulenr;
+	guint32	subrulenr;
+	guchar	dir;
+	guchar	pad[3];
+};
+
+#define PFLOG_HDRLEN		sizeof(struct pfloghdr)
+/* minus pad, also used as a signature */
+#define PFLOG_REAL_HDRLEN	offsetof(struct pfloghdr, pad);
+#define MIN_PFLOG_HDRLEN	45
+
+struct old_pfloghdr {
   guint32       af;
   char          ifname[16];
   gint16        rnr;
@@ -40,7 +58,7 @@ struct pfloghdr {
   guint16       action;
   guint16       dir;
 };
-#define PFLOG_HDRLEN    sizeof(struct pfloghdr)
+#define OLD_PFLOG_HDRLEN	sizeof(struct old_pfloghdr)
 
 /* Actions */
 #define PF_PASS  0
@@ -48,8 +66,12 @@ struct pfloghdr {
 #define PF_SCRUB 2
 
 /* Directions */
-#define PF_IN  0
-#define PF_OUT 1
+#define PF_OLD_IN  0
+#define PF_OLD_OUT 1
+
+#define PF_INOUT 0
+#define PF_IN    1
+#define PF_OUT   2
 
 # define BSD_PF_INET    2
 # define BSD_PF_INET6   24
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c
index c2eeeed9a0..4d4c3d0fa9 100644
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@@ -1,6 +1,6 @@
 /* libpcap.c
  *
- * $Id: libpcap.c,v 1.95 2003/03/25 06:04:54 guy Exp $
+ * $Id: libpcap.c,v 1.96 2003/05/15 07:14:45 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@@ -385,7 +385,7 @@ static const struct {
 	 * defined with the value 17.
 	 */
 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
-	{ 17,		WTAP_ENCAP_PFLOG },
+	{ 17,		WTAP_ENCAP_OLD_PFLOG },
 #endif
 
 	/*
diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index fece9a54e3..e38c5cca6a 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -1,6 +1,6 @@
 /* wtap.c
  *
- * $Id: wtap.c,v 1.81 2003/03/04 02:38:02 guy Exp $
+ * $Id: wtap.c,v 1.82 2003/05/15 07:14:45 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@@ -147,7 +147,7 @@ static const struct encap_type_info {
 	{ "IEEE 802.11 plus Prism II monitor mode header", "prism" },
 
 	/* WTAP_ENCAP_PFLOG  */
-	{ "OpenBSD PF Firewall logs", "pflog" },
+	{ "OpenBSD PF Firewall logs, pre-3.4", "pflog-old" },
 
 	/* WTAP_ENCAP_HHDLC */
 	{ "HiPath HDLC", "hhdlc" },
@@ -169,6 +169,12 @@ static const struct encap_type_info {
 
 	/* WTAP_ENCAP_TZSP */
 	{ "Tazmen sniffer protocol", "tzsp" },
+
+	/* WTAP_ENCAP_ENC */
+	{ " OpenBSD enc(4) encapsulating interface", "enc" },
+
+	/* WTAP_ENCAP_PFLOG  */
+	{ "OpenBSD PF Firewall logs", "pflog" },
 };
 
 /* Name that should be somewhat descriptive. */
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 572c38ea03..903da1b15d 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.136 2003/03/08 09:11:53 guy Exp $
+ * $Id: wtap.h,v 1.137 2003/05/15 07:14:46 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@@ -118,7 +118,7 @@
 #define WTAP_ENCAP_CISCO_IOS			26
 #define WTAP_ENCAP_LOCALTALK			27
 #define WTAP_ENCAP_PRISM_HEADER			28
-#define WTAP_ENCAP_PFLOG			29
+#define WTAP_ENCAP_OLD_PFLOG			29
 #define WTAP_ENCAP_HHDLC			30
 #define WTAP_ENCAP_DOCSIS			31
 #define WTAP_ENCAP_COSINE			32
@@ -127,9 +127,10 @@
 #define WTAP_ENCAP_SDLC				35
 #define WTAP_ENCAP_TZSP				36
 #define WTAP_ENCAP_ENC				37
+#define WTAP_ENCAP_PFLOG			38
 
 /* last WTAP_ENCAP_ value + 1 */
-#define WTAP_NUM_ENCAP_TYPES			38
+#define WTAP_NUM_ENCAP_TYPES			39
 
 /* File types that can be read by wiretap.
    We support writing some many of these file types, too, so we