packet filter logging daemon
is a background daemon which reads
packets logged by
interface, normally pflog0
, and writes the
packets to a logfile (normally
binary format. These logs can be reviewed later using the
hopefully offline in case there are bugs in the packet parsing code of
closes and then re-opens the log file
when it receives
to rotate logfiles automatically.
to flush the current logfile
buffers to the disk, thus making the most recent logs available. The buffers
are also flushed every delay
If the log file contains data after a restart or a
, new logs are appended to the
existing file. If the existing log file was created with a different snaplen,
temporarily uses the old snaplen to
keep the log file consistent.
tries to preserve the integrity of the
log file against I/O errors. Furthermore, integrity of an existing log file is
verified before appending. If there is an invalid log file or an I/O error,
the log file is moved out of the way and a new one is created. If a new file
cannot be created, logging is suspended until a
will also log the pcap statistics for
interface to syslog when a
The options are as follows:
- Debugging mode.
pflogd does not
disassociate from the controlling terminal.
- Time in seconds to delay between automatic flushes of the file. This may
be specified with a value between 5 and 3600 seconds. If not specified,
the default is 60 seconds.
- Log output filename. Default is
- Specifies the
interface to use. By default,
will use pflog0.
- Writes a file containing the process ID of the program to
/var/run. The file name has the form
⟨pidfile⟩.pid. The default
- Analyze at most the first snaplen bytes
of data from each packet rather than the default of 116. The default of
116 is adequate for IP, ICMP, TCP, and UDP headers but may truncate
protocol information for other protocols. Other file parsers may desire a
- Check the integrity of an existing log file, and return.
- Selects which packets will be dumped, using the regular language of
- Process ID of the currently running
- Default log file.
Log specific tcp packets to a different log file with a large snaplen (useful
with a log-all rule to dump complete sessions):
# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another
interface, excluding specific packets:
# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/pflog
Display the logs in real time (this does not interfere with the operation of
# tcpdump -n -e -ttt -i pflog0
Tcpdump has been extended to be able to filter on the pfloghdr structure defined
can restrict the output to packets logged on a specified interface, a rule
number, a reason, a direction, an IP family or an action.
- Address family equals IPv4.
- Address family equals IPv6.
- ifname kue0
- Interface name equals "kue0".
- on kue0
- Interface name equals "kue0".
- ruleset authpf
- Ruleset name equals "authpf".
- rulenum 10
- Rule number equals 10.
- reason match
- Reason equals match. Also accepts "bad-offset",
"fragment", "bad-timestamp", "short",
"normalize", "memory", "congestion",
"state-limit", "src-limit", and
- action pass
- Action equals pass. Also accepts "block".
- The direction was inbound.
- The direction was outbound.
Display the logs in real time of inbound packets that were blocked on the wi0
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
command appeared in
was written by
Can Erkin Acar