Reading OpenBSD PF log entries in realtime

When the OpenBSD packet filter (PF) is configured to log traffic, each packet is logged to the OpenBSD “pflog” pseudo-device. This device can be queried with several tools, including tcpdump:

$ tcpdump -i pflog0 -ttt -e -o

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Jan 23 21:27:33.361173 rule 4/0(match): block in on tun0:
> icmp: echo request
Jan 23 21:28:01.505716 rule 4/0(match): block in on tun0: > S (src
OS: short-pkt) 3962893738:3962893738(0) win 5840 (DF)

If you are running a busy firewall, you are probably using pflogd to archive this information to a file on your FFS file system. I occassionally like to monitor pflog0 when I am testing new services, especially ones that don’t play nicely with firewalls.

This article was posted by Matty on 2005-02-19 00:17:00 -0400 -0400