From owner-freebsd-questions@FreeBSD.ORG Tue Oct 20 06:43:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 609F21065697 for ; Tue, 20 Oct 2009 06:43:48 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from web30807.mail.mud.yahoo.com (web30807.mail.mud.yahoo.com [68.142.200.150]) by mx1.freebsd.org (Postfix) with SMTP id 26D288FC21 for ; Tue, 20 Oct 2009 06:43:47 +0000 (UTC) Received: (qmail 37521 invoked by uid 60001); 20 Oct 2009 06:43:47 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1256021027; bh=hPITcgwWeeag5FrWSjHNXwLz4B6ySv78KZQB58gUo/s=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=4Yg74oRbxV4QMuOtJmwC0VFKMwOalojyfz/Lky4Brz3xAz9eG6lZaUzVViTuCjarpXvtG1EBug3t8CsNGhaaEC1o2v9XzjUz/FsZSDLhNOb7GJi7maWIOT+TeEDzhvfA4Cc7Y+7KJ9wMnCmcTvkuTk+XtYiVnXwfYOXcg9ZgzZ4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Rlh/xK2gZbTUGy1rbk+LSgJjwo9RnCkoX/kYi4D8+jsPL6J0r7Uu5lVcRtSInNzx6AC7bSevf9uDofpKpr7ndZclG4lOnOYgpwjgdTmv6Tu1PvdGqLxBcVqN1XioXT+PpAO3LOJyS2iGzY+w4XL4wxBWzy1ggUg34XmhrcRB5Y0=; Message-ID: <189701.37514.qm@web30807.mail.mud.yahoo.com> X-YMail-OSG: SerdnWEVM1k8gEnKaAIS.S3xvqAipdZOnqhDO0GIYQ3wcjjKOxepRHdbxdc6oMDdy8yj7CjolHsIhf2KVPVvnljzSmEifLfd2hcFraX53d2Ywu3e9C1yWc.itSmDNm7Zn_T2BadEplk3VglMveEmVsSIpv3lCi8GBI1kVMtqtHmd4k7wtguVXknvHInx4rwyJSpz3PCLMtwWHi7V7IRx3i4.xEEbcTl4JuO2mzEtNvlKpDQngzsKgK9_OL5RZ7NZVsK2EVw4NxSj1ETcP5k2A4OsQTMOdhM0IOgSJVfBwHQfso2TcyJ9DxKvg3qt0l0dUs.mKGPashHe3JcGbK4.hn6M0wgJ5p3Qp1yaSaHdaje1wYmko5Z0arV6n8_5HmBEMRG9CeGRUQ-- Received: from [213.157.180.252] by web30807.mail.mud.yahoo.com via HTTP; Mon, 19 Oct 2009 23:43:46 PDT X-Mailer: YahooMailRC/182.10 YahooMailWebService/0.7.347.3 References: <823621.39942.qm@web30801.mail.mud.yahoo.com> <4ADCB101.808@infracaninophile.co.uk> Date: Mon, 19 Oct 2009 23:43:46 -0700 (PDT) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= To: Matthew Seaman In-Reply-To: <4ADCB101.808@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: pf+time stamp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 06:43:48 -0000 Oh, great!=0A=0AThank you!=0A=0A=0A=0A=0A________________________________= =0AFrom: Matthew Seaman =0ATo: D=E1nielisz= L=E1szl=F3 =0ACc: freebsd-questions@freebsd.or= g=0ASent: Mon, October 19, 2009 8:33:37 PM=0ASubject: Re: pf+time stamp=0A= =0AD=E1nielisz L=E1szl=F3 wrote:=0A> Hello,=0A> =0A> Do you have any idea h= ow to add and read time stamp of pf/pf.log?=0A> =0A> Thank you!=0A> Laci=0A= =0ADo you mean /var/log/pflog ? Which is the default location where a=0Are= cord of logged packets ends up if you run pflogd(8).=0A=0AThat's actually a= pcap (packet capture) file, and you can read it=0Ausing tcpdump:=0A=0A # = tcpdump -r /var/log/pflog=0A=0AEach packet is recorded with a high resoluti= on timestamp that tcpdump=0Awill display for you -- like this naughty chap = suffering the consequences=0Aof trying to brute-force my ssh daemon just be= fore 1:00pm today:=0A=0A12:52:44.891373 IP customer-201-134-103-165.uninet-= ide.com.mx.2316 > happy-idiot-talk.infracaninophile.co.uk.ssh: . ack 299195= 8242 win 1460 =0A12:52:45.51= 6283 IP customer-201-134-103-165.uninet-ide.com.mx.2316 > happy-idiot-talk.= infracaninophile.co.uk.ssh: F 0:0(0) ack 1 win 1460 =0A12:52:48.387822 IP customer-201-134-103-165.uninet-ide.= com.mx.2316 > happy-idiot-talk.infracaninophile.co.uk.ssh: F 0:0(0) ack 1 w= in 1460 =0A12:52:54.131863 IP custo= mer-201-134-103-165.uninet-ide.com.mx.2316 > happy-idiot-talk.infracaninoph= ile.co.uk.ssh: F 0:0(0) ack 1 win 1460 =0A12:52:57.113810 IP customer-201-134-103-165.uninet-ide.com.mx.2316 >= happy-idiot-talk.infracaninophile.co.uk.ssh: . ack 1 win 1460 =0A12:53:05.620251 IP customer-201-134-1= 03-165.uninet-ide.com.mx.2316 > happy-idiot-talk.infracaninophile.co.uk.ssh= : F 0:0(0) ack 1 win 1460 =0A12:53:= 28.597524 IP customer-201-134-103-165.uninet-ide.com.mx.2316 > happy-idiot-= talk.infracaninophile.co.uk.ssh: F 0:0(0) ack 1 win 1460 =0A12:54:14.550822 IP customer-201-134-103-165.uninet= -ide.com.mx.2316 > happy-idiot-talk.infracaninophile.co.uk.ssh: F 0:0(0) ac= k 1 win 1460 =0A12:55:46.457353 IP = customer-201-134-103-165.uninet-ide.com.mx.2316 > happy-idiot-talk.infracan= inophile.co.uk.ssh: F 0:0(0) ack 1 win 1460 =0A13:00:15.032146 IP customer-201-134-103-165.uninet-ide.com.mx.2= 316 > happy-idiot-talk.infracaninophile.co.uk.ssh: R 1230911050:1230911050(= 0) win 1460=0A=0A Cheers,=0A=0A Matthew=0A=0A-- Dr Matthew J Seaman M= A, D.Phil. 7 Priory Courtyard=0A = Flat 3=0APGP: http://www.infracaninophile.co.uk/pgp= key Ramsgate=0A Kent, C= T11 9PW=0A=0A=0A