On Thu, 13 Feb 2003, Daniel Hartmeier wrote:
> On Thu, Feb 13, 2003 at 09:59:04AM -0600, pf-list wrote: > > > No that rule was written intetionally so that the packets would no longer > > be blocked. However, I still should have been able to see the packets via > > tcpdumping /var/log/pflog and I never could. The only reason I discovered > > my logs were filling so fast was running ethereal on pflog0. With the new > > rule in place instead of my logs filling and rotating about twice a day > > they fill and rotate about once per week. So where were the packets, why > > couldn't I see them via tcpdump of pflog? > > pflogd does nothing more than listening on /dev/pflog0 and copying > anything from there to /var/log/pflog. So each packet you see when > running tcpdump -i pflog0 will end up in /var/log/pflog, too. > > You seem to agree that packets do get appended to /var/log/pflog, too. > > So, are you maybe running "tcpdump of pflog" with the wrong parameters? > Try tcpdump -netttvvvr /var/log/pflog, you should see all packets in > that file. Of course the tcpdump process will terminate after reaching > the end of the file, while pflogd will append new packets to the end. > You'll have to re-run tcpdump to see all the new packets, etc. > > Daniel > I apologize for wasting the lists time as I just realized the perl script I had written was filtering them out improperly. This made it seem like the packets were vanishing into thin air. Thanks, James
