Nice. I did not now about that. "When a packet is logged by PF, a copy of the packet header is sent to a pflog(4) <http://www.openbsd.org/cgi-bin/man.cgi?query=pflog&sektion=4&manpath=OpenBSD+5. 2> interface along with some additional data such as the interface the packet was transiting, the action that PF took (pass or block), etc. " I will now look for a way to get it to pass the full packet, as I need to do deep packet inspections. Thanks! -Jason
_____ From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of James Records Sent: Sunday, April 28, 2013 12:58 To: pfSense support and discussion Subject: Re: [pfSense] Packet capture Jason, I think what you want is the pflog0 interface. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com <http://www.northshoresoftware.com/> <https://mail.google.com/mail/u/0/?ui=2&ik=3456340655&view=att&th=13ab8f806fccb0 7e&attid=0.2&disp=inline&realattid=f_h8z0yrka2&safe=1&zw&saduie=AG9B_P_0HvEbIe6v cnhsenP3ZJiz&sadet=1352854635474&sads=QIpOFwfaK2xnZX61g1WsD4mNl08> On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron <jpye...@pdinc.us> wrote: Yes the interface for packet capture is nice for a interactive quick look, but it is not a solution for an automated ingest system for 24x7 capture. regarding the logs: {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP (17), length 66) {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 > 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) the detail is insufficient. I tried Show raw filter logs, but there does not seem to be any apprciable difference. I have a backend system (IDS type of thing) which ingests pcap data as well as syslog, in this case the syslog from the pfSesne is to light weight. can I sniff the bridge [BRIDGE0]? -Jason _____ From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Trevor Benson Sent: Sunday, April 28, 2013 10:14 To: pfSense support and discussion Subject: Re: [pfSense] Packet capture Have you tried using the built in packet capture under diagnostics? This will clean up your ssh traffic, which is what I assume you mean by tcpdump recursice traffic. Plus you can download a pcap to examine more closely in wireshark. As for traffic denied by the firewall have you tried looking at the firewall logs? Trevor On Apr 28, 2013 5:47 AM, "Jason Pyeron" <jpye...@pdinc.us> wrote: I am looking to capture all the packets that are traversing and attempting to traverse the firewall. If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN then I only get the packets that made it past the firewall plus the recursive traffic of my pcap data leaving the firewall too. This is telling me I should be using another port, but still does not help me separate the pcap data into 2 buckets: 1: blocked 2: not blocked Any suggestions? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us <http://www.pdinc.us/> - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list