On Thu, Jan 27, 2005 at 03:19:57PM -0500, Peter Fraser wrote: > I get the impression that there is some way to use pflogd as an > interactive program. I did kill it off and restart it a few times, > but I did worry about leaving wholes in my logs.
You can run tcpdump on interface pflog0. This will read all packets logged by pf and print them on screen as text. You can run multiple such instances in parallel, they don't affect each other (or pflogd, which writes to /var/log/pflog). Each instance can use its own pcap filter expression. For instance, after you added a rule that logs to the ruleset, you find out its rule number (using pfctl -vvsr), then run # tcpdump -nevvvttti pflog0 rulenum 10 and generate traffic. That tcpdump instance will only print packets logged by rule @10. When you've seen enough, you kill the tcpdump process with ctrl-c. pflogd and /var/log/pflog is not affected (except that it likely logged the same packets, too). Daniel
