packet filter logging daemon
pflogd is a background daemon which reads
packets logged by pf(4) to a pflog(4) interface, normally pflog0, and
writes the packets to a logfile (normally
tcpdump(8) binary format. These logs can be reviewed later using the
-r option of
tcpdump(8), hopefully offline in case there are bugs in the packet
parsing code of tcpdump(8).
pflogd closes and then re-opens the log
file when it receives
newsyslog(8) to rotate logfiles automatically.
flush the current logfile buffers to the disk, thus making the most recent
logs available. The buffers are also flushed every
If the log file contains data after a restart or a
SIGHUP, new logs are appended to the existing file.
If the existing log file was created with a different snaplen,
pflogd temporarily uses the old snaplen to keep the
log file consistent.
pflogd tries to preserve the integrity of
the log file against I/O errors. Furthermore, integrity of an existing log
file is verified before appending. If there is an invalid log file or an I/O
error, logging is suspended until a
SIGHUP or a
SIGALRM is received.
The options are as follows:
- Debugging mode.
pflogddoes not disassociate from the controlling terminal.
- Time in seconds to delay between automatic flushes of the file. This may be specified with a value between 5 and 3600 seconds. If not specified, the default is 60 seconds.
- Log output filename. Default is /var/log/pflog.
- Specifies the pflog(4) interface to use. By default,
pflogdwill use pflog0.
- Analyze at most the first snaplen bytes of data from each packet rather than the default of 160. The default of 160 is adequate for IP, ICMP, TCP, and UDP headers but may truncate protocol information for other protocols. Other file parsers may desire a higher snaplen.
- Check the integrity of an existing log file, and return.
- Selects which packets will be dumped, using the regular language of
tcpdump(8). Tcpdump has been extended to be able to filter on the
pfloghdr structure defined in
<net/if_pflog.h>. It can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action.
- Address family equals IPv4.
- Address family equals IPv6.
- ifname kue0
- Interface name equals "kue0".
- on kue0
- Interface name equals "kue0".
- ruleset authpf
- Ruleset name equals "authpf".
- rulenum 10
- Rule number equals 10.
- reason match
- Reason equals match. Also accepts "bad-offset", "fragment", "short", "normalize", "memory", "bad-timestamp", "congestion", "ip-option", "proto-cksum", "state-mismatch", "state-insert", "state-limit", "src-limit", and "synproxy".
- action pass
- Action equals pass. Also accepts "block" and "match".
- The direction was inbound.
- The direction was outbound.
- Default log file.
Log specific TCP packets to a different log file with a large snaplen (useful with a "log all" rule to dump complete sessions):
# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another pflog(4) interface, excluding specific packets:
# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/pflog
Display the logs in real time (this does not interfere with the
# tcpdump -n -e -ttt -i pflog0
Display the logs in real time of inbound packets that were blocked on the wi0 interface:
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
pcap_open_live(3), pf(4), pflog(4), pf.conf(5), newsyslog(8), tcpdump(8)
pflogd command appeared in
pflogd was written by Can