diff options
Diffstat (limited to 'sbin/pflogd/pflogd.8')
-rw-r--r-- | sbin/pflogd/pflogd.8 | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/sbin/pflogd/pflogd.8 b/sbin/pflogd/pflogd.8 index ad7568b8472..60c986ca685 100644 --- a/sbin/pflogd/pflogd.8 +++ b/sbin/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.16 2002/11/09 00:57:20 fgsch Exp $ +.\" $OpenBSD: pflogd.8,v 1.17 2003/01/28 10:40:21 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -49,7 +49,7 @@ in .Xr tcpdump 8 binary format. These logs can be reviewed later using the -.Ar -r +.Fl r option of .Xr tcpdump 8 , hopefully offline in case there are bugs in the packet parsing code of @@ -99,31 +99,36 @@ The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may truncate protocol information for other protocols. Other file parsers may desire a higher snaplen. .It Ar expression -selects which packets will be dumped, using the regular language of +Selects which packets will be dumped, using the regular language of .Xr tcpdump 8 . .El .Sh EXAMPLES Log specific tcp packets to a different log file with a large snaplen (useful with a log-all rule to dump complete sessions) .Bd -literal -offset indent -# pflogd -s 1600 -f suspicious.log port 80 and host evilhost +.Xo Ic # pflogd -s 1600 -f suspicious.log port 80\ +.Ic and host evilhost +.Xc .Ed .Pp Display binary logs: .Bd -literal -offset indent -# tcpdump -n -e -ttt -r /var/log/pflog +.Ic # tcpdump -n -e -ttt -r /var/log/pflog .Ed .Pp Display the logs in real time (this does not interfere with the operation of pflogd): .Bd -literal -offset indent -# tcpdump -n -e -ttt -i pflog0 +.Ic # tcpdump -n -e -ttt -i pflog0 .Ed .Pp Tcpdump has been extended to to be able to filter on the pfloghdr -structure defined in net/if_pflog.h. Tcpdump can restrict the output +structure defined in +.Aq Ar net/if_pflog.h . +Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an ip family or an action. +.Pp .Bl -tag -width "reason match " -compact .It ip Address family equals IPv4. @@ -149,14 +154,17 @@ The direction was outbound. Display the logs in real time of inbound packets that were blocked on the wi0 interface: .Bd -literal -offset indent -# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0 +.Xo Ic # tcpdump -n -e -ttt -i pflog0 inbound\ +.Ic and action block and on wi0 +.Xc .Ed .Sh FILES .Bl -tag -width /var/run/pflogd.pid -compact .It Pa /var/run/pflogd.pid -process ID of current +Process ID of the currently running +.Nm pflogd . .It Pa /var/log/pflog -Default log file +Default log file. .El .Sh SEE ALSO .Xr pcap 3 , |