Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PFLOGD(8)		  BSD System Manager's Manual		     PFLOGD(8)

     pflogd -- packet filter logging daemon

     pflogd [-DragonFly] [-d delay] [-f	filename] [-s snaplen] [expression]

     pflogd is a background daemon which reads packets logged by pf(4) to the
     packet logging interface pflog0 and writes	the packets to a logfile (nor-
     mally /var/log/pflog) in tcpdump(8) binary	format.	 These logs can	be re-
     viewed later using	the -r option of tcpdump(8), hopefully offline in case
     there are bugs in the packet parsing code of tcpdump(8).

     pflogd closes and then re-opens the log file when it receives SIGHUP,
     permitting	newsyslog(8) to	rotate logfiles	automatically.	SIGALRM	causes
     pflogd to flush the current logfile buffers to the	disk, thus making the
     most recent logs available.  The buffers are also flushed every delay

     If	the log	file contains data after a restart or a	SIGHUP,	new logs are
     appended to the existing file.  If	the existing log file was created with
     a different snaplen, pflogd temporarily uses the old snaplen to keep the
     log file consistent.

     pflogd tries to preserve the integrity of the log file against I/O	er-
     rors.  Furthermore, integrity of an existing log file is verified before
     appending.	 If there is an	invalid	log file or an I/O error, logging is
     suspended until a SIGHUP or a SIGALRM is received.

     The options are as	follows:

     -D	     Debugging mode.  pflogd does not disassociate from	the control-
	     ling terminal.

     -d	delay
	     Time in seconds to	delay between automatic	flushes	of the file.
	     This may be specified with	a value	between	5 and 3600 seconds.
	     If	not specified, the default is 60 seconds.

     -f	filename
	     Log output	filename.  Default is /var/log/pflog.

     -s	snaplen
	     Analyze at	most the first snaplen bytes of	data from each packet
	     rather than the default of	96.  The default of 96 is adequate for
	     IP, ICMP, TCP, and	UDP headers but	may truncate protocol informa-
	     tion for other protocols.	Other file parsers may desire a	higher

     -x	     Check the integrity of an existing	log file, and return.

	     Selects which packets will	be dumped, using the regular language
	     of	tcpdump(8).

     /var/run/  Process ID of	the currently running pflogd.
     /var/log/pflog	  Default log file.

     Log specific tcp packets to a different log file with a large snaplen
     (useful with a log-all rule to dump complete sessions):

	   # pflogd -s 1600 -f suspicious.log port 80 and host evilhost

     Display binary logs:

	   # tcpdump -n	-e -ttt	-r /var/log/pflog

     Display the logs in real time (this does not interfere with the operation
     of	pflogd):

	   # tcpdump -n	-e -ttt	-i pflog0

     Tcpdump has been extended to be able to filter on the pfloghdr structure
     defined in	<net/if_pflog.h>.  Tcpdump can restrict	the output to packets
     logged on a specified interface, a	rule number, a reason, a direction, an
     IP	family or an action.

     ip		    Address family equals IPv4.
     ip6	    Address family equals IPv6.
     ifname kue0    Interface name equals "kue0".
     on	kue0	    Interface name equals "kue0".
     rulenum 10	    Rule number	equals 10.
     reason match   Reason equals match.  Also accepts "bad-offset", "frag-
		    ment", "short", "normalize"	and "memory".
     action pass    Action equals pass.	 Also accepts "block".
     inbound	    The	direction was inbound.
     outbound	    The	direction was outbound.

     Display the logs in real time of inbound packets that were	blocked	on the
     wi0 interface:

	   # tcpdump -n	-e -ttt	-i pflog0 inbound and action block and on wi0

     pcap(3), pf(4), pflog(4), pf.conf(5), newsyslog(8), tcpdump(8)

     The pflogd	command	appeared in OpenBSD 3.0.

     Can Erkin Acar

BSD				 July 9, 2001				   BSD


Want to link to this manual page? Use this URL:

home | help