Re: Watching /var/log/pflog grow
cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Running tcpdump against the pflog0 pseudo-interface no more stops pflogd recording the traffic than running tcpdump on your network interface blocks traffic from the net. tcpdump -vv -i pflog0 really is the way to go if you want to see what your firewall is logging in real time. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Watching /var/log/pflog grow
How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Thanks -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Please post this to freebsd-pf, where you can get better help. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
cpghost [EMAIL PROTECTED] wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. [...] I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? According to pflogd(8): Display the logs in real time (this does not interfere with the operation of pflogd): # tcpdump -n -e -ttt -i pflog0 -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 07:20:42PM +, Matthew Seaman wrote: cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Running tcpdump against the pflog0 pseudo-interface no more stops pflogd recording the traffic than running tcpdump on your network interface blocks traffic from the net. Ah, okay. pflog0 therefore delivers a *copy* of the packets to all subscribers. That's good to know! tcpdump -vv -i pflog0 really is the way to go if you want to see what your firewall is logging in real time. Yep, will do. Thanks for helping. -cpghost. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 09:22:42PM -0500, Sahil Tandon wrote: cpghost [EMAIL PROTECTED] wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. [...] I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? According to pflogd(8): Display the logs in real time (this does not interfere with the operation of pflogd): # tcpdump -n -e -ttt -i pflog0 EOUTOFCAFFEINE I actually read the man page, but I didn't pay attention to this. Sorry for the noise and thanks for pointing it out. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Watching /var/log/pflog grow
On Tue, Nov 04, 2008 at 05:15:57PM -0800, Jeremy Chadwick wrote: On Tue, Nov 04, 2008 at 08:13:54PM +0100, cpghost wrote: How can I watch /var/log/pflog grow with tcpdump, tail -f style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XORdisplayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Please post this to freebsd-pf, where you can get better help. Thank you, but the problem seems solved (pflog0 delivers copies of packets). I'll test this tomorrow and should I miss some packets in the log file, I'll surely raise the question again. Thanks you all for helping, on and off list. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pflog
Hi all I want to use pf (actually I use ipfw). Well after I read the openbsd book, I always don't known how can I log the log of pf (with pflog) using syslog and I don't want (if it's possible) to write anything in my hard-disk (event it's temporaly, because it's virtual disk, I'm running vmware). Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Mon May 22 15:14:51 CEST 2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog
On 5/22/06, Albert Shih [EMAIL PROTECTED] wrote: Hi all I want to use pf (actually I use ipfw). Well after I read the openbsd book, I always don't known how can I log the log of pf (with pflog) using syslog and I don't want (if it's possible) to write anything in my hard-disk (event it's temporaly, because it's virtual disk, I'm running vmware). Regards. Hi! When you write your rules, you put log in them.. example: pass in quick log proto tcp from any to any keep state then you have to have pflogd started(pflog_enable=YES in /etc/rc.conf). When pflog is started your binary log is lcated on /var/log/pflog you can read it witH: tcpdump -n -t -r /var/log/pflog if you want real time(because pflog is where is written with some delay) tcpdump -n -t -i pflog0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog
Le 22/05/2006 à 16:59:02+0300, Iantcho Vassilev a écrit On 5/22/06, Albert Shih [EMAIL PROTECTED] wrote: When you write your rules, you put log in them.. example: pass in quick log proto tcp from any to any keep state then you have to have pflogd started(pflog_enable=YES in /etc/rc.conf). When pflog is started your binary log is lcated on /var/log/pflog you can read it witH: tcpdump -n -t -r /var/log/pflog if you want real time(because pflog is where is written with some delay) tcpdump -n -t -i pflog0 Thanks. But I known this thing. The problem is with this method the log is first write on the hard-disk. And I don't want do that (well I don't like...) I prefer the pflogd directly log to a central server. It's possible ? Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Mon May 22 16:08:02 CEST 2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog
This is discussed in the openbsd pf page http://www.openbsd.org/faq/pf/logging.html#syslog On 5/22/06, Albert Shih [EMAIL PROTECTED] wrote: Le 22/05/2006 à 16:59:02+0300, Iantcho Vassilev a écrit On 5/22/06, Albert Shih [EMAIL PROTECTED] wrote: When you write your rules, you put log in them.. example: pass in quick log proto tcp from any to any keep state then you have to have pflogd started(pflog_enable=YES in /etc/rc.conf). When pflog is started your binary log is lcated on /var/log/pflog you can read it witH: tcpdump -n -t -r /var/log/pflog if you want real time(because pflog is where is written with some delay) tcpdump -n -t -i pflog0 Thanks. But I known this thing. The problem is with this method the log is first write on the hard-disk. And I don't want do that (well I don't like...) I prefer the pflogd directly log to a central server. It's possible ? Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Mon May 22 16:08:02 CEST 2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog
Le 22/05/2006 à 10:14:58-0400, Andy Greenwood a écrit This is discussed in the openbsd pf page http://www.openbsd.org/faq/pf/logging.html#syslog Thanks for the URLbut it's seem the shell script write on FILE=/home/pflogger/pflog5min.$(date +%Y%m%d%H%M) first before he push (by syslog) the log to a server. Well, maybe it's impossible:-( Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Mon May 22 16:19:32 CEST 2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pflog summary script?
Does anyone have a simple shell/perl script that can take /var/log/pflog and parse it into a simple txt or html? I would like to cron a script that can clean up the output of pflog and put it into something more readable... Basically something that looks like: Time - SourceIP - Destination Port or a count of these as well. Thanks! -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog summary script?
On 2005-11-24 19:33, JD Bronson [EMAIL PROTECTED] wrote: Does anyone have a simple shell/perl script that can take /var/log/pflog and parse it into a simple txt or html? I would like to cron a script that can clean up the output of pflog and put it into something more readable... Basically something that looks like: Time - SourceIP - Destination Port or a count of these as well. I think what you want is something like the scripts included in these posts: http://keramida.serverhive.com/weblog/archives/2004-12-28/switching-from-ipfilter-to-pf http://keramida.serverhive.com/weblog/archives/2005-01-04/more-fun-with-the-pf9-firewall They are far from perfect and definitely not what I'd call production quality, but they will serve fine as a starting point while you write your own, I guess ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog trouble?
Dick Hoogendijk [EMAIL PROTECTED] writes: Today I compiled some kde stuff for a few hours on my fbsd-6.0 box and when I gave the shutdown -p now command it took minutes to complete the shutdown process. The machine seemed to hang on the shutdown of the pflog device. The porcess /was/ completed succesfully in the end but I wonder what happened.. After starting up again and (again) a shutdown -p now all went well and fast. Anybody a clue? You need a bit more information than that for a decent clue. It might well be that whatever hangs is right *after* pflog, though... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pflog trouble?
On 14 Nov 2005 10:03:32 -0500 Lowell Gilbert [EMAIL PROTECTED] wrote: Dick Hoogendijk [EMAIL PROTECTED] writes: Today I compiled some kde stuff for a few hours on my fbsd-6.0 box and when I gave the shutdown -p now command it took minutes to complete the shutdown process. The machine seemed to hang on the shutdown of the pflog device. The porcess /was/ completed succesfully in the end but I wonder what happened.. After starting up again and (again) a shutdown -p now all went well and fast. Anybody a clue? You need a bit more information than that for a decent clue. It might well be that whatever hangs is right *after* pflog, though... Right. This /is/ indeed the case. Sometimes there are some processes that won't be killed normally. I get the warning use ps axl .. But after a very long time the machine does shut down and a ps axl does not show anything ;-) It does not happen always; so, I don't have a clue how to investigate what causes the hangings.. any tips? -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11-stable ++ FreeBSD 6.0 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pflog trouble?
Today I compiled some kde stuff for a few hours on my fbsd-6.0 box and when I gave the shutdown -p now command it took minutes to complete the shutdown process. The machine seemed to hang on the shutdown of the pflog device. The porcess /was/ completed succesfully in the end but I wonder what happened.. After starting up again and (again) a shutdown -p now all went well and fast. Anybody a clue? -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11-stable ++ FreeBSD 5.4 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
