When the OpenBSD packet filter (PF) is configured to log traffic, each packet is logged to the OpenBSD “pflog” pseudo-device. This device can be queried with several tools, including tcpdump:
oscar# tcpdump -i pflog0 -ttt -e -o
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Jan 23 21:27:33.361173 rule 4/0(match): block in on tun0: 22.214.171.124 > adsl-19-10-38.asm.bellsouth.net: icmp: echo request
Jan 23 21:28:01.505716 rule 4/0(match): block in on tun0: 126.96.36.199.34777 > adsl-19-10-38.asm.bellsouth.net.socks: S (src OS: short-pkt) 3962893738:3962893738(0) win 5840 (DF)
If you are running a busy firewall, you are probably using pflogd to archive this information to a file on your FFS file system. I occassionally like to monitor pflog0 when I am testing new services, especially ones that don’t play nicely with firewalls.