Broken macOS support for printing PFLOG via tcpdump

[hdatma]

I think the latest macOS kernel was compiled without support for PFLOG.
We updated yesterday, and now packet printing is not supported.

Please verify on your own systems.

OS: macOS 10.12.4

/usr/sbin/tcpdump --version
tcpdump version tcpdump version 4.9.0 -- Apple version 79.50.2
libpcap version 1.8.1 -- Apple version 67.50.2
LibreSSL 2.2.7
sudo /sbin/ifconfig pflog0 create
/sbin/ifconfig | grep pflog0
pflog0: flags=41<UP,RUNNING> mtu 33080
/usr/sbin/tcpdump --list-interfaces
1.en0 [Up, Running]
2.fw0 [Up, Running]
3.utun0 [Up, Running]
4.pflog0 [Up, Running]
5.lo0 [Up, Running, Loopback]
6.en1 [Up]
7.gif0
8.stf0
9.p2p0
sudo tcpdump -n -e -ttt -i pflog0
tcpdump: packet printing is not supported for link type PFLOG: use -w

[guyharris]

Yes, PFLOG is broken.

By "PFLOG" I mean "PFLOG", not "the PFLOG printing code in tcpdump"; it doesn't have a standard specification so that you can print any operating system's PFLOG output on any operating system.

So tcpdump's PFLOG-printing code requires that you have the header file for the OS on which you're compiling tcpdump available, so it can print that OS's version of PFLOG output.

Apple doesn't ship that header file, so we don't support printing PFLOG output on macOS; apparently, they don't support it in their tcpdump, either.

Please complain to Apple about this if you want it fixed, as it's their bug.