Daniel Hartmeier [EMAIL PROTECTED] wrote >But check the pflogd(8) man page. It explains how to >use pcap filter expressions to filter pflog by rule number and other >criteria. You could, for instance, run multiple pflogd instances, each >logging packets from specific rule number into separate files, etc. > >If you log everything into one pcap file, you can use filter expressions >when running tcpdump to convert the pcap file into plain text. It's >quite powerful, once you understand it.
I am confused again. I get the impression that there is some way to use pflogd as an interactive program. I did kill it off and restart it a few times, but I did worry about leaving wholes in my logs. It is not for logging that I wanted the ability. It was for debugging The large quantity of incoming traffic (most of it attacks ) makes it very difficult to find things in the logs. I don't really want huge logs and use tcpdump expressions to find what is of interest to me (usually a particular source or target machine). My approach to problems is to modify the pf.conf file, changing logging to see just those rules I am having problems with. Often I have been adding special rules at the front of the file. It's a lot quicker that way to see if the rule is doing what I want. Examine the log files. Modify the rules and retry. When I tracing down my traceroute problem, I spend two days modifying the pf.conf file. I worry when I make changes to any file, its too easy to slip and accidentally modify something you didn't mean to. It is annoying that spamlogd requires me to log all the SMTP traffic, which just adds more junk to my logs.
