As a related addition, if you run tcpdump on FreeBSD with the default settings (Possibly also other BSD's, can't recall running into this with OpenBSD though) you will likely run into messages such as:
Code:
tcp 12 [bad hdr length 8 - too short, < 20]
Which can be solved by increasing the snaplen with
-s, 256 should be more than enough (Default being 68):
Code:
tcpdump -s 256 -i pflog0
The tcpdump(1) manpage gives an explanation of this option and also explains how it relates to j65nko's post:
Code:
-s Snarf snaplen bytes of data from each packet rather than the
default of 68 (with SunOSâs NIT, the minimum is actually 96).
68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate
protocol information from name server and NFS packets (see
below). Packets truncated because of a limited snapshot are
indicated in the output with [|proto], where proto is the
name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of
time it takes to process packets and, effectively, decreases the
amount of packet buffering. This may cause packets to be lost.
You should limit snaplen to the smallest number that will capâ
ture the protocol information youâre interested in. Setting
snaplen to 0 means use the required length to catch whole packâ
ets.