Re: Watching /var/log/pflog grow
cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Running tcpdump against the pflog0 pseudo-interface no more stops pflogd recording the traffic than running tcpdump on your network interface blocks traffic from the net. tcpdump -vv -i pflog0 really is the way to go if you want to see what your firewall is logging in real time. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Watching /var/log/pflog grow
How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Thanks -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Please post this to freebsd-pf, where you can get better help. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
cpghost [EMAIL PROTECTED] wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. [...] I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? According to pflogd(8): Display the logs in real time (this does not interfere with the operation of pflogd): # tcpdump -n -e -ttt -i pflog0 -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 07:20:42PM +, Matthew Seaman wrote: cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Running tcpdump against the pflog0 pseudo-interface no more stops pflogd recording the traffic than running tcpdump on your network interface blocks traffic from the net. Ah, okay. pflog0 therefore delivers a *copy* of the packets to all subscribers. That's good to know! tcpdump -vv -i pflog0 really is the way to go if you want to see what your firewall is logging in real time. Yep, will do. Thanks for helping. -cpghost. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 09:22:42PM -0500, Sahil Tandon wrote: cpghost [EMAIL PROTECTED] wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. [...] I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? According to pflogd(8): Display the logs in real time (this does not interfere with the operation of pflogd): # tcpdump -n -e -ttt -i pflog0 EOUTOFCAFFEINE I actually read the man page, but I didn't pay attention to this. Sorry for the noise and thanks for pointing it out. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 05:15:57PM -0800, Jeremy Chadwick wrote: On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Please post this to freebsd-pf, where you can get better help. Thank you, but the problem seems solved (pflog0 delivers copies of packets). I'll test this tomorrow and should I miss some packets in the log file, I'll surely raise the question again. Thanks you all for helping, on and off list. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
