I'm trying to use tcpdump capture traffic on the external interface of
my NAT/firewall/web/mail/etc. system in a quasi-private way,
specifically by excluding any traffic that comes from or is ultimately
destined to NAT'ed boxes. Since packets which go from or to
192.168.2.0/24 are NAT'ed before (and probably after) tcpdump sees
them, I don't believe I can accomplish this with a simple "not net
192.168.2.0/24" filter on tcpdump; thus, I've turned to the "rulenum"
or "rdr" feature of tcpdump's filter criteria, which works on packets
logged by pf(4).
I know that if I simply enable logging on all of the packets I want to
see, using pf-based tcpdump filter criteria works like a charm. The
problem I have is that doing so will make for a rather gigantic
/var/log/pflog very quickly, a situation I'd like to avoid if possible
(for disk space and possible performance issues). Thus, my question is:
is it possible to enable pf logging without writing to /var/log/pflog,
while still preserving tcpdump's ability to see packets on the pflog0
interface? Alternately, is there a better/simpler way to accomplish my
tcpdump objective of not logging packets coming from or destined to
NAT'ed boxes?
Thanks,
Alex Kirk
- tcpdump, rulenum, and pflog alex
-
