From owner-freebsd-questions@FreeBSD.ORG Tue Nov 4 19:21:11 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E13DF106564A for ; Tue, 4 Nov 2008 19:21:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 669408FC0A for ; Tue, 4 Nov 2008 19:21:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id mA4JKm7R033879; Tue, 4 Nov 2008 19:20:50 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk mA4JKm7R033879 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1225826450; bh=TZhlPmnTqr9ebL QQxfa7wstsIG9a2sF47aIr/oo/yrs=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<4910A08A.6050204@infracaninophile.co.uk>|Date:=20Tue,=2 004=20Nov=202008=2019:20:42=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201 .0|To:=20cpghost=20|CC:=20freebsd-questions@fre ebsd.org|Subject:=20Re:=20Watching=20/var/log/pflog=20grow|Referenc es:=20<20081104191354.GA1819@phenom.cordula.ws>|In-Reply-To:=20<200 81104191354.GA1819@phenom.cordula.ws>|X-Enigmail-Version:=200.95.6| Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A= 20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"--- ---------enigD785781B1BF03AF468BB6783"; b=cjWRs/5Kts/MBb/rAg6nUowUH BEsZ3W39XmbZ+stOmduW9pFHiF0tiDBH2gyqgOml3YctT4N/5+uBUdGObTVIKW+Gu0y fQsYqGa45PouoAT8OtKujHC7RhDTjyge1ay9L7dr9jmgy32nfBhFgsx6udS/r8n95y5 soG1vI/SwpZE= Message-ID: <4910A08A.6050204@infracaninophile.co.uk> Date: Tue, 04 Nov 2008 19:20:42 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: cpghost References: <20081104191354.GA1819@phenom.cordula.ws> In-Reply-To: <20081104191354.GA1819@phenom.cordula.ws> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD785781B1BF03AF468BB6783" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 04 Nov 2008 19:20:50 +0000 (GMT) X-Virus-Scanned: ClamAV 0.94/8567/Tue Nov 4 14:24:07 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Watching /var/log/pflog grow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2008 19:21:12 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD785781B1BF03AF468BB6783 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable cpghost wrote: > How can I watch /var/log/pflog grow with tcpdump, "tail -f" style? >=20 > This won't work: > $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - > because tail doesn't start at the right location. >=20 > Using a blocksize (-b) with tail may also not be right, > because the captured packets are not the same size. >=20 > This seems to work: > $ tcpdump -n -s 116 -i pflog0 > but now, both tcpdump and pflogd are competing for the same > interface pflog0. >=20 > I'm afraid that in the latter case, every packet will be > EITHER logged by pflogd > XOR displayed by tcpdump. > Is that so? >=20 > If yes, /var/log/pflog would be incomplete, because some packets > would have been snatched away from pflog0 by tcpdump, before > pflogd ever got a chance to read them out. >=20 > Is there a way to watch /var/log/pflog grow, while > still making sure that pflogd logs EVERY packet that appears > on the pflog0 interface? How? >=20 Running tcpdump against the pflog0 pseudo-interface no more stops pflogd recording the traffic than running tcpdump on your network interface blocks traffic from the net. tcpdump -vv -i pflog0 really is the way to go if you want to see what your firewall is logging in real time. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD785781B1BF03AF468BB6783 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkkQoJAACgkQ8Mjk52CukIyFkQCfUvXTAiCFLA0zNPKJwCplEI0u f0cAni1mC+JL58T6hV6tPHelwAzHMgOR =epFr -----END PGP SIGNATURE----- --------------enigD785781B1BF03AF468BB6783--