On Thu, Feb 13, 2003 at 09:59:04AM -0600, pf-list wrote: > No that rule was written intetionally so that the packets would no longer > be blocked. However, I still should have been able to see the packets via > tcpdumping /var/log/pflog and I never could. The only reason I discovered > my logs were filling so fast was running ethereal on pflog0. With the new > rule in place instead of my logs filling and rotating about twice a day > they fill and rotate about once per week. So where were the packets, why > couldn't I see them via tcpdump of pflog?
pflogd does nothing more than listening on /dev/pflog0 and copying anything from there to /var/log/pflog. So each packet you see when running tcpdump -i pflog0 will end up in /var/log/pflog, too. You seem to agree that packets do get appended to /var/log/pflog, too. So, are you maybe running "tcpdump of pflog" with the wrong parameters? Try tcpdump -netttvvvr /var/log/pflog, you should see all packets in that file. Of course the tcpdump process will terminate after reaching the end of the file, while pflogd will append new packets to the end. You'll have to re-run tcpdump to see all the new packets, etc. Daniel
