From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 01:16:02 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83D06106564A for ; Wed, 5 Nov 2008 01:16:02 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id 5F02D8FC08 for ; Wed, 5 Nov 2008 01:16:00 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA02.emeryville.ca.mail.comcast.net ([76.96.30.19]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id bCx31a00A0QkzPwA5DG01z; Wed, 05 Nov 2008 01:16:00 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA02.emeryville.ca.mail.comcast.net with comcast id bDFx1a0062P6wsM8NDFxwz; Wed, 05 Nov 2008 01:15:58 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=V7y7WvOlJO5FHsGduE0A:9 a=vdwqQobrsNGeZeypku6iaszH9msA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 7609CC9419; Tue, 4 Nov 2008 17:15:57 -0800 (PST) Date: Tue, 4 Nov 2008 17:15:57 -0800 From: Jeremy Chadwick To: cpghost Message-ID: <20081105011557.GB62321@icarus.home.lan> References: <20081104191354.GA1819@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081104191354.GA1819@phenom.cordula.ws> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: Watching /var/log/pflog grow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2008 01:16:02 -0000 On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: > How can I watch /var/log/pflog grow with tcpdump, "tail -f" style? > > This won't work: > $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - > because tail doesn't start at the right location. > > Using a blocksize (-b) with tail may also not be right, > because the captured packets are not the same size. > > This seems to work: > $ tcpdump -n -s 116 -i pflog0 > but now, both tcpdump and pflogd are competing for the same > interface pflog0. > > I'm afraid that in the latter case, every packet will be > EITHER logged by pflogd > XOR displayed by tcpdump. > Is that so? > > If yes, /var/log/pflog would be incomplete, because some packets > would have been snatched away from pflog0 by tcpdump, before > pflogd ever got a chance to read them out. > > Is there a way to watch /var/log/pflog grow, while > still making sure that pflogd logs EVERY packet that appears > on the pflog0 interface? How? Please post this to freebsd-pf, where you can get better help. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |