From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 05:30:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE78F1065688 for ; Wed, 5 Nov 2008 05:30:44 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 5421F8FC19 for ; Wed, 5 Nov 2008 05:30:44 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id 17A8735E9B; Wed, 5 Nov 2008 06:28:13 +0100 (CET) Date: Wed, 5 Nov 2008 06:30:41 +0100 From: cpghost To: Jeremy Chadwick Message-ID: <20081105053040.GE2277@epia-2.farid-hajji.net> References: <20081104191354.GA1819@phenom.cordula.ws> <20081105011557.GB62321@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081105011557.GB62321@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: Watching /var/log/pflog grow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2008 05:30:45 -0000 On Tue, Nov 04, 2008 at 05:15:57PM -0800, Jeremy Chadwick wrote: > On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: > > How can I watch /var/log/pflog grow with tcpdump, "tail -f" style? > > > > This won't work: > > $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - > > because tail doesn't start at the right location. > > > > Using a blocksize (-b) with tail may also not be right, > > because the captured packets are not the same size. > > > > This seems to work: > > $ tcpdump -n -s 116 -i pflog0 > > but now, both tcpdump and pflogd are competing for the same > > interface pflog0. > > > > I'm afraid that in the latter case, every packet will be > > EITHER logged by pflogd > > XOR displayed by tcpdump. > > Is that so? > > > > If yes, /var/log/pflog would be incomplete, because some packets > > would have been snatched away from pflog0 by tcpdump, before > > pflogd ever got a chance to read them out. > > > > Is there a way to watch /var/log/pflog grow, while > > still making sure that pflogd logs EVERY packet that appears > > on the pflog0 interface? How? > > Please post this to freebsd-pf, where you can get better help. Thank you, but the problem seems solved (pflog0 delivers copies of packets). I'll test this tomorrow and should I miss some packets in the log file, I'll surely raise the question again. Thanks you all for helping, on and off list. -cpghost. -- Cordula's Web. http://www.cordula.ws/