From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 02:22:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C31E106567A for ; Wed, 5 Nov 2008 02:22:47 +0000 (UTC) (envelope-from sahil@tandon.net) Received: from aegis.hamla.org (aegis.hamla.org [206.251.255.39]) by mx1.freebsd.org (Postfix) with ESMTP id 1B5818FC14 for ; Wed, 5 Nov 2008 02:22:46 +0000 (UTC) (envelope-from sahil@tandon.net) Received: from localhost (localhost [127.0.0.1]) by aegis.hamla.org (Postfix) with ESMTP id E10A55C79 for ; Tue, 4 Nov 2008 21:23:47 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tandon.net; h= x-virus-scanned:in-reply-to:content-disposition:content-type :mime-version:references:reply-to:message-id:subject:from:date: received; s=aegis; t=1225851825; bh=kzaPlzaoyDhk3N9o2T1itsVBn905 mWLV+KMYtXv91vU=; b=BD+MyvzxjRBzWaE/hitbSNQWAEUdCVTrcodt9E3nNGER gzayggRNkIVfk3BuZ9MzyJK7FNjmhcwVWFqOq889vo+I7Aj1BBgPJ24cb97gabFf hRrbDI6FhVUnt3DOhe0PyktVEhXuIUhtJbIIGFHoKloHd7jsFz8aqfWigu6llkU= Received: from aegis.hamla.org ([127.0.0.1]) by localhost (aegis.hamla.org [127.0.0.1]) (amavisd-new, port 10027) with LMTP id sTdVYC2sDli6 for ; Tue, 4 Nov 2008 21:23:45 -0500 (EST) Date: Tue, 4 Nov 2008 21:22:42 -0500 From: Sahil Tandon To: freebsd-questions@freebsd.org Message-ID: <20081105022242.GA1178@shepherd> References: <20081104191354.GA1819@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081104191354.GA1819@phenom.cordula.ws> X-Virus-Scanned: ClamAV version 0.94, clamav-milter version 0.94 on aegis.hamla.org X-Virus-Status: Clean Subject: Re: Watching /var/log/pflog grow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "freebsd-questions@freebsd.org" List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2008 02:22:47 -0000 cpghost wrote: > How can I watch /var/log/pflog grow with tcpdump, "tail -f" style? > > This won't work: > $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - > because tail doesn't start at the right location. [...] > I'm afraid that in the latter case, every packet will be > EITHER logged by pflogd > XOR displayed by tcpdump. > Is that so? > > If yes, /var/log/pflog would be incomplete, because some packets > would have been snatched away from pflog0 by tcpdump, before > pflogd ever got a chance to read them out. > > Is there a way to watch /var/log/pflog grow, while > still making sure that pflogd logs EVERY packet that appears > on the pflog0 interface? How? According to pflogd(8): Display the logs in real time (this does not interfere with the operation of pflogd): # tcpdump -n -e -ttt -i pflog0 -- Sahil Tandon