Reading OpenBSD PF log entries in realtime

When the OpenBSD packet filter (PF) is configured to log traffic, each packet is logged to the OpenBSD “pflog” pseudo-device. This device can be queried with several tools, including tcpdump:

oscar# tcpdump -i pflog0 -ttt -e -o
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Jan 23 21:27:33.361173 rule 4/0(match): block in on tun0: 12.144.129.35 > adsl-19-10-38.asm.bellsouth.net: icmp: echo request
Jan 23 21:28:01.505716 rule 4/0(match): block in on tun0: 217.20.209.217.34777 > adsl-19-10-38.asm.bellsouth.net.socks: S (src OS: short-pkt) 3962893738:3962893738(0) win 5840 (DF)

If you are running a busy firewall, you are probably using pflogd to archive this information to a file on your FFS file system. I occassionally like to monitor pflog0 when I am testing new services, especially ones that don’t play nicely with firewalls.

Leave a Reply

Your email address will not be published. Required fields are marked *