pflog0
,
and writes the packets to a logfile (normally
/var/log/pflog
)
in
tcpdump(8)
binary format.
These logs can be reviewed later using the
-r
option of
tcpdump(8),
hopefully offline in case there are bugs in the packet parsing code of
tcpdump(8).
pflogd
closes and then re-opens the log file when it receives
SIGHUP
,
permitting
newsyslog(8)
to rotate logfiles automatically.
SIGALRM
causes
pflogd
to flush the current logfile buffers to the disk, thus making the most
recent logs available.
The buffers are also flushed every
delay
seconds.
If the log file contains data after a restart or a
SIGHUP
,
new logs are appended to the existing file.
If the existing log file was created with a different snaplen,
pflogd
temporarily uses the old snaplen to keep the log file consistent.
pflogd
tries to preserve the integrity of the log file against I/O errors.
Furthermore, integrity of an existing log file is verified before
appending.
If there is an invalid log file or an I/O error, the log file is moved
out of the way and a new one is created.
If a new file cannot be created, logging is suspended until a
SIGHUP
or a
SIGALRM
is received.
The options are as follows:
/var/log/pflog
.
/var/run/pidname.pid
.
If the option is not given,
pidfile
defaults to
pflogd
.
/var/run/pflogd.pid
/var/log/pflog
# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another pflog(4) interface, excluding specific packets:
# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/pflog
Display the logs in real time (this does not interfere with the operation of ):
# tcpdump -n -e -ttt -i pflog0
Tcpdump has been extended to be able to filter on the pfloghdr structure defined in <net/if_pflog.h>. Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action.
Display the logs in real time of inbound packets that were blocked on the wi0 interface:
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0