Date: Mon, 17 Mar 2008 07:50:40 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: "Stephan F. Yaraghchi" <stephan@yaraghchi.org> Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time Message-ID: <20080317145040.GA48737@eos.sc1.parodius.com> In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F. Yaraghchi wrote: > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > I'm getting pretty brief output like: > > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] Choose a larger snaplen size for tcpdump to use, e.g. tcpdump -s 1024. Don't pick something absurdly large. There is a discussion as to whether or not tcpdump on FreeBSD should default to using a larger snaplen size (128 would be good). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080317145040.GA48737>