Jason, Take a look at this:
http://www.openbsd.org/faq/pf/logging.html Should help you out a bit. -- James Records | Principle Network Engineer M 425.984.4349 E [email protected] W www.northshoresoftware.com On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron <[email protected]> wrote: > ** > Nice. I did not now about that. > > "When a packet is logged by PF, a copy of the packet header is sent to a > pflog(4)<http://www.openbsd.org/cgi-bin/man.cgi?query=pflog&sektion=4&manpath=OpenBSD+5.2>interface > along with some additional data such as the interface the packet > was transiting, the action that PF took (pass or block), etc. " > > I will now look for a way to get it to pass the full packet, as I need to > do deep packet inspections. > > Thanks! > > -Jason > > > ------------------------------ > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *James Records > *Sent:* Sunday, April 28, 2013 12:58 > > *To:* pfSense support and discussion > *Subject:* Re: [pfSense] Packet capture > > Jason, > > I think what you want is the pflog0 interface. > > > -- > James Records | Principle Network Engineer > > M 425.984.4349 E [email protected] > > W www.northshoresoftware.com > > > On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron <[email protected]> wrote: > >> ** >> Yes the interface for packet capture is nice for a interactive quick >> look, but it is not a solution for an automated ingest system for 24x7 >> capture. >> >> regarding the logs: >> >> >> {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule >> 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags >> [DF], proto UDP (17), length 66) >> >> {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 > >> 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) >> >> the detail is insufficient. I tried *Show raw filter logs, but there >> does not seem to be any apprciable difference. I have a backend system (IDS >> type of thing) which ingests pcap data as well as syslog, in this case the >> syslog from the pfSesne is to light weight.* >> >> *can I sniff the bridge [*BRIDGE0*]?* >> >> *-Jason* >> >> ------------------------------ >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Trevor Benson >> *Sent:* Sunday, April 28, 2013 10:14 >> *To:* pfSense support and discussion >> *Subject:* Re: [pfSense] Packet capture >> >> Have you tried using the built in packet capture under diagnostics? >> This will clean up your ssh traffic, which is what I assume you mean by >> tcpdump recursice traffic. Plus you can download a pcap to examine more >> closely in wireshark. >> >> As for traffic denied by the firewall have you tried looking at the >> firewall logs? >> >> Trevor >> On Apr 28, 2013 5:47 AM, "Jason Pyeron" <[email protected]> wrote: >> >>> I am looking to capture all the packets that are traversing and >>> attempting to >>> traverse the firewall. >>> >>> If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN >>> then I >>> only get the packets that made it past the firewall plus the recursive >>> traffic >>> of my pcap data leaving the firewall too. >>> >>> This is telling me I should be using another port, but still does not >>> help me >>> separate the pcap data into 2 buckets: >>> >>> 1: blocked >>> 2: not blocked >>> >>> Any suggestions? >>> >>> >> -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100 - > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
