Date: Mon, 17 Mar 2008 15:22:12 +0100 From: CZUCZY Gergely <gergely.czuczy@harmless.hu> To: "Stephan F. Yaraghchi" <stephan@yaraghchi.org> Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time Message-ID: <20080317152212.00227d1c@twoflower.in.publishing.hu> In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 17 Mar 2008 14:50:18 +0100 "Stephan F. Yaraghchi" <stephan@yaraghchi.org> wrote: > Hi, Hello, >=20 > I have a question concerning the logging of pf on FreeBSD 7.0-RELEASE. >=20 > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > I'm getting pretty brief output like: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] [| means that it wasn't able to decode the packet farthermore, becase the snaplength is too small. Adjust it with -s, and check man tcpdmp >=20 >=20 > When I look back into the history of the log with 'tcpdump -netttt -r > /var/log/pflog' the output is much more verbose: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) >=20 >=20 > What do I have to do to see that much info while watching the log in real > time? >=20 --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFH3n6XzrC0WyuMkpsRAvidAKCbZ5Ubq3VCfY8EODXFa8WiA1hWtwCfWFk6 3hqrmfvc7NH+q07X97YaWv4= =lb8S -----END PGP SIGNATURE----- --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080317152212.00227d1c>