From owner-freebsd-pf@FreeBSD.ORG Mon Mar 17 14:35:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1E5D106567D for ; Mon, 17 Mar 2008 14:35:45 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from mostly.harmless.hu (mostly.harmless.hu [195.56.55.205]) by mx1.freebsd.org (Postfix) with ESMTP id CD6828FC30 for ; Mon, 17 Mar 2008 14:35:44 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from fw.publishing.hu ([82.131.181.62] helo=twoflower.in.publishing.hu) by mostly.harmless.hu with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JbGEC-000888-2O; Mon, 17 Mar 2008 15:22:16 +0100 Date: Mon, 17 Mar 2008 15:22:12 +0100 From: CZUCZY Gergely To: "Stephan F. Yaraghchi" Message-ID: <20080317152212.00227d1c@twoflower.in.publishing.hu> In-Reply-To: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> References: <25f52a3d0803170650j72beaeev51105ed0713f7867@mail.gmail.com> Organization: Harmless Digital X-Mailer: Claws Mail 3.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/N4dXwL/w3Kj0/Wv./VXm9xm"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Sender: Czuczy Gergely Cc: freebsd-pf@freebsd.org Subject: Re: watching the log in real time X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 14:35:45 -0000 --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 17 Mar 2008 14:50:18 +0100 "Stephan F. Yaraghchi" wrote: > Hi, Hello, >=20 > I have a question concerning the logging of pf on FreeBSD 7.0-RELEASE. >=20 > When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time > I'm getting pretty brief output like: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip] > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip] [| means that it wasn't able to decode the packet farthermore, becase the snaplength is too small. Adjust it with -s, and check man tcpdmp >=20 >=20 > When I look back into the history of the log with 'tcpdump -netttt -r > /var/log/pflog' the output is much more verbose: >=20 > 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: > 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P > ACKET(138) > 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) > 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: > 192.168.204.10.138 > 192.168.204.255.138: NBT UDP PACKET(138) >=20 >=20 > What do I have to do to see that much info while watching the log in real > time? >=20 --=20 =C3=9Cdv=C3=B6lettel, Czuczy Gergely Harmless Digital Bt mailto: gergely.czuczy@harmless.hu Tel: +36-30-9702963 --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFH3n6XzrC0WyuMkpsRAvidAKCbZ5Ubq3VCfY8EODXFa8WiA1hWtwCfWFk6 3hqrmfvc7NH+q07X97YaWv4= =lb8S -----END PGP SIGNATURE----- --Sig_/N4dXwL/w3Kj0/Wv./VXm9xm--