--- [EMAIL PROTECTED] wrote: > I'm trying to use tcpdump capture traffic on the external interface > of > my NAT/firewall/web/mail/etc. system in a quasi-private way, > specifically by excluding any traffic that comes from or is > ultimately > destined to NAT'ed boxes. Since packets which go from or to > 192.168.2.0/24 are NAT'ed before (and probably after) tcpdump sees > them, I don't believe I can accomplish this with a simple "not net > 192.168.2.0/24" filter on tcpdump; thus, I've turned to the "rulenum" > > or "rdr" feature of tcpdump's filter criteria, which works on packets > > logged by pf(4). > > I know that if I simply enable logging on all of the packets I want > to > see, using pf-based tcpdump filter criteria works like a charm. The > problem I have is that doing so will make for a rather gigantic > /var/log/pflog very quickly, a situation I'd like to avoid if > possible > (for disk space and possible performance issues). Thus, my question > is: > is it possible to enable pf logging without writing to > /var/log/pflog, > while still preserving tcpdump's ability to see packets on the pflog0 > > interface? Alternately, is there a better/simpler way to accomplish > my > tcpdump objective of not logging packets coming from or destined to > NAT'ed boxes?
You want to log packets to standard output but not to disk? Is that it? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
