diff options
| author | Jason McIntyre <jmc@cvs.openbsd.org> | 2011-05-06 18:30:44 +0000 |
|---|---|---|
| committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2011-05-06 18:30:44 +0000 |
| commit | 4bd17fcb6a88a7ceb3221bc947c6821d436c34ea (patch) | |
| tree | 0b22de4f8913aa64b7123d731967af7a6087f819 /sbin/pflogd | |
| parent | 6ae75a554d27116e763d7ecf5e2a041e1c43742c (diff) | |
put the tcpdump-specific stuff in a sane place (that is, not EXAMPLES);
ok sthen henning
Diffstat (limited to 'sbin/pflogd')
| -rw-r--r-- | sbin/pflogd/pflogd.8 | 71 |
1 files changed, 35 insertions, 36 deletions
diff --git a/sbin/pflogd/pflogd.8 b/sbin/pflogd/pflogd.8 index 9e6c2824df4..c736061a730 100644 --- a/sbin/pflogd/pflogd.8 +++ b/sbin/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.41 2010/05/14 18:17:02 schwarze Exp $ +.\" $OpenBSD: pflogd.8,v 1.42 2011/05/06 18:30:43 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 14 2010 $ +.Dd $Mdocdate: May 6 2011 $ .Dt PFLOGD 8 .Os .Sh NAME @@ -135,46 +135,14 @@ Check the integrity of an existing log file, and return. .It Ar expression Selects which packets will be dumped, using the regular language of .Xr tcpdump 8 . -.El -.Sh FILES -.Bl -tag -width /var/run/pflogd.pid -compact -.It Pa /var/log/pflog -Default log file. -.El -.Sh EXAMPLES -Log specific tcp packets to a different log file with a large snaplen -(useful with a log-all rule to dump complete sessions): -.Bd -literal -offset indent -# pflogd -s 1600 -f suspicious.log port 80 and host evilhost -.Ed -.Pp -Log from another -.Xr pflog 4 -interface, excluding specific packets: -.Bd -literal -offset indent -# pflogd -i pflog3 -f network3.log "not (tcp and port 23)" -.Ed -.Pp -Display binary logs: -.Bd -literal -offset indent -# tcpdump -n -e -ttt -r /var/log/pflog -.Ed -.Pp -Display the logs in real time (this does not interfere with the -operation of -.Nm ) : -.Bd -literal -offset indent -# tcpdump -n -e -ttt -i pflog0 -.Ed -.Pp Tcpdump has been extended to be able to filter on the pfloghdr structure defined in .Aq Ar net/if_pflog.h . -Tcpdump can restrict the output +It can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action. .Pp -.Bl -tag -width "ruleset authpf " -compact +.Bl -tag -width "ruleset authpfXXX" -offset 3n -compact .It ip Address family equals IPv4. .It ip6 @@ -201,6 +169,37 @@ The direction was inbound. .It outbound The direction was outbound. .El +.El +.Sh FILES +.Bl -tag -width /var/run/pflogd.pid -compact +.It Pa /var/log/pflog +Default log file. +.El +.Sh EXAMPLES +Log specific tcp packets to a different log file with a large snaplen +(useful with a log-all rule to dump complete sessions): +.Bd -literal -offset indent +# pflogd -s 1600 -f suspicious.log port 80 and host evilhost +.Ed +.Pp +Log from another +.Xr pflog 4 +interface, excluding specific packets: +.Bd -literal -offset indent +# pflogd -i pflog3 -f network3.log "not (tcp and port 23)" +.Ed +.Pp +Display binary logs: +.Bd -literal -offset indent +# tcpdump -n -e -ttt -r /var/log/pflog +.Ed +.Pp +Display the logs in real time (this does not interfere with the +operation of +.Nm ) : +.Bd -literal -offset indent +# tcpdump -n -e -ttt -i pflog0 +.Ed .Pp Display the logs in real time of inbound packets that were blocked on the wi0 interface: |