Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Feb 2005 17:51:10 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        kilim <kilim@phenix.rootshell.be>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pflog's format
Message-ID:  <20050225155110.GA55587@orion.daedalusnetworks.priv>
In-Reply-To: <20050225152810.GA9271@phenix.rootshell.be>
References:  <20050225152810.GA9271@phenix.rootshell.be>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2005-02-25 16:28, kilim <kilim@phenix.rootshell.be> wrote:
> when reading pf's log the messages usually have the following format:
>
> 189977 rule 0/0(match): block out on ste0: IP (tos 0x0, ttl 63, id
> 38539, offse t 0, flags [DF], length: 40)
>
> Instead of "xxxxxx number rule" how can I get date and time
> displayed/logged ?

Try using tcpdump with the proper options on `/var/log/pflog':

# Wrapped under 80 columns output...

orion:/root# tcpdump -tttt -n -v -r /var/log/pflog | head -5
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
2005-01-10 16:32:54.010282 IP (tos 0x0, ttl   1, id 17146, offset 0, flags
  [none], length: 40, optlength: 4 ( RA )) 10.6.0.201 > 224.0.0.22: igmp v3
  report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
2005-01-10 16:32:54.687811 IP (tos 0x0, ttl   1, id 17156, offset 0, flags
  [none], length: 40, optlength: 4 ( RA )) 10.6.0.201 > 224.0.0.22: igmp v3
  report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
2005-01-10 16:33:24.011554 IP (tos 0x0, ttl   1, id 17218, offset 0, flags
  [none], length: 40, optlength: 4 ( RA )) 10.6.0.201 > 224.0.0.22: igmp v3
  report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
2005-01-10 16:33:24.723533 IP (tos 0x0, ttl   1, id 17219, offset 0, flags
  [none], length: 40, optlength: 4 ( RA )) 10.6.0.201 > 224.0.0.22: igmp v3
  report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
2005-01-19 11:05:24.429801 IP (tos 0x0, ttl   1, id 22604, offset 0, flags
  [none], length: 40, optlength: 4 ( RA )) 10.6.0.202 > 224.0.0.22: igmp v3
  report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050225155110.GA55587>