watching the log in real time

Hi,

I have a question concerning the logging of pf on FreeBSD
7.0-RELEASE.

When I issue 'tcpdump -netttt -i pflog0' to watch the log in
real time
I'm getting pretty brief output like:

2008-03-16 11:46:45.527125 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:45.590116 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:45.652107 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:45.715098 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:45.777087 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:47.249281 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:50.011245 rule 0/0(match): block in on
fxp1: [|ip]
2008-03-16 11:46:52.761126 rule 0/0(match): block in on
fxp1: [|ip]


When I look back into the history of the log with 'tcpdump
-netttt -r
/var/log/pflog' the output is much more verbose:

2008-03-16 11:46:45.527125 rule 0/0(match): block in on
fxp1:
192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
ACKET(138)
2008-03-16 11:46:45.590116 rule 0/0(match): block in on
fxp1:
192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
ACKET(138)
2008-03-16 11:46:45.652107 rule 0/0(match): block in on
fxp1:
192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
ACKET(138)
2008-03-16 11:46:45.715098 rule 0/0(match): block in on
fxp1:
192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
ACKET(138)
2008-03-16 11:46:45.777087 rule 0/0(match): block in on
fxp1:
192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
ACKET(138)
2008-03-16 11:46:47.249281 rule 0/0(match): block in on
fxp1:
192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)
2008-03-16 11:46:50.011245 rule 0/0(match): block in on
fxp1:
192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)
2008-03-16 11:46:52.761126 rule 0/0(match): block in on
fxp1:
192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)


What do I have to do to see that much info while watching
the log in real time?

-- 
Mit freundlichen Grüßen / with kind regards


+++ stephan f. yaraghchi

+++ mail: stephan at yaraghchi dot org

www.deine-stimme-gegen-armut.de
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

ON MON, 17 MAR 2008 14:50:18 +0100
"STEPHAN F. YARAGHCHI" <STEPHANYARAGHCHI.ORG> WROTE:

> HI,
HELLO,

> 
> I HAVE A QUESTION CONCERNING THE LOGGING OF PF ON
FREEBSD 7.0-RELEASE.
> 
> WHEN I ISSUE 'TCPDUMP -NETTTT -I PFLOG0' TO WATCH THE
LOG IN REAL TIME
> I'M GETTING PRETTY BRIEF OUTPUT LIKE:
> 
> 2008-03-16 11:46:45.527125 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:45.590116 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:45.652107 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:45.715098 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:45.777087 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:47.249281 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:50.011245 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
> 2008-03-16 11:46:52.761126 RULE 0/0(MATCH): BLOCK IN ON
FXP1: [|IP]
[| MEANS THAT IT WASN'T ABLE TO DECODE THE PACKET
FARTHERMORE, BECASE THE
SNAPLENGTH IS TOO SMALL. ADJUST IT WITH -S, AND CHECK MAN
TCPDMP


> 
> 
> WHEN I LOOK BACK INTO THE HISTORY OF THE LOG WITH
'TCPDUMP -NETTTT -R
> /VAR/LOG/PFLOG' THE OUTPUT IS MUCH MORE VERBOSE:
> 
> 2008-03-16 11:46:45.527125 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
> ACKET(138)
> 2008-03-16 11:46:45.590116 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
> ACKET(138)
> 2008-03-16 11:46:45.652107 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
> ACKET(138)
> 2008-03-16 11:46:45.715098 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
> ACKET(138)
> 2008-03-16 11:46:45.777087 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.4.138 > 192.168.204.255.138: NBT UDP P
> ACKET(138)
> 2008-03-16 11:46:47.249281 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)
> 2008-03-16 11:46:50.011245 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)
> 2008-03-16 11:46:52.761126 RULE 0/0(MATCH): BLOCK IN ON
FXP1:
> 192.168.204.10.138 > 192.168.204.255.138: NBT UDP
PACKET(138)
> 
> 
> WHAT DO I HAVE TO DO TO SEE THAT MUCH INFO WHILE
WATCHING THE LOG IN REAL
> TIME?
> 


-- 
ÜDVöLETTEL,

CZUCZY GERGELY
HARMLESS DIGITAL BT
MAILTO: GERGELY.CZUCZYHARMLESS.HU
TEL: +36-30-9702963

On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F.
Yaraghchi wrote:
> When I issue 'tcpdump -netttt -i pflog0' to watch the
log in real time
> I'm getting pretty brief output like:
> 
> 2008-03-16 11:46:45.527125 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:45.590116 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:45.652107 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:45.715098 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:45.777087 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:47.249281 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:50.011245 rule 0/0(match): block in on
fxp1: [|ip]
> 2008-03-16 11:46:52.761126 rule 0/0(match): block in on
fxp1: [|ip]

Choose a larger snaplen size for tcpdump to use, e.g.
tcpdump -s 1024.
Don't pick something absurdly large.

There is a discussion as to whether or not tcpdump on
FreeBSD should
default to using a larger snaplen size (128 would be good).

-- 
| Jeremy Chadwick                                    jdc at
parodius.com |
| Parodius Networking                           http://www.parodius.com/
|
| UNIX Systems Administrator                      Mountain
View, CA, USA |
| Making life hard for others since 1977.                 
PGP: 4BD6C0CB |

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Cheers mate!

you solved my problem...

On Mon, Mar 17, 2008 at 3:22 PM, CZUCZY Gergely
<gergely.czuczyharmless.hu> wrote:
> On Mon, 17 Mar 2008 14:50:18 +0100
>  "Stephan F. Yaraghchi" <stephanyaraghchi.org> wrote:
>
>  > Hi,
>  Hello,
>
>
>  >
>  > I have a question concerning the logging of pf on
FreeBSD 7.0-RELEASE.
>  >
>  > When I issue 'tcpdump -netttt -i pflog0' to watch
the log in real time
>  > I'm getting pretty brief output like:
>  >
>  > 2008-03-16 11:46:45.527125 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.590116 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.652107 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.715098 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.777087 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:47.249281 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:50.011245 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:52.761126 rule 0/0(match): block
in on fxp1: [|ip]
>  [| means that it wasn't able to decode the packet
farthermore, becase the
>  snaplength is too small. Adjust it with -s, and check
man tcpdmp
>
>
>
>
>  >
>  >
>  > When I look back into the history of the log with
'tcpdump -netttt -r
>  > /var/log/pflog' the output is much more verbose:
>  >
>  > 2008-03-16 11:46:45.527125 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.4.138 > 192.168.204.255.138: NBT
UDP P
>  > ACKET(138)
>  > 2008-03-16 11:46:45.590116 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.4.138 > 192.168.204.255.138: NBT
UDP P
>  > ACKET(138)
>  > 2008-03-16 11:46:45.652107 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.4.138 > 192.168.204.255.138: NBT
UDP P
>  > ACKET(138)
>  > 2008-03-16 11:46:45.715098 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.4.138 > 192.168.204.255.138: NBT
UDP P
>  > ACKET(138)
>  > 2008-03-16 11:46:45.777087 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.4.138 > 192.168.204.255.138: NBT
UDP P
>  > ACKET(138)
>  > 2008-03-16 11:46:47.249281 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.10.138 > 192.168.204.255.138: NBT
UDP PACKET(138)
>  > 2008-03-16 11:46:50.011245 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.10.138 > 192.168.204.255.138: NBT
UDP PACKET(138)
>  > 2008-03-16 11:46:52.761126 rule 0/0(match): block
in on fxp1:
>  > 192.168.204.10.138 > 192.168.204.255.138: NBT
UDP PACKET(138)
>  >
>  >
>  > What do I have to do to see that much info while
watching the log in real
>  > time?
>  >
>
>
>  --
>  Üdvölettel,
>
>  Czuczy Gergely
>  Harmless Digital Bt
>  mailto: gergely.czuczyharmless.hu
>  Tel: +36-30-9702963
>



-- 
Mit freundlichen Grüßen / with kind regards


+++ stephan f. yaraghchi

+++ lychener str. 61a
+++ 10437 berlin, germany
+++
+++ mail stephanyaraghchi.org
+++ phone +49 30 44650068
+++ cell +49 172 3111534

www.deine-stimme-gegen-armut.de
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Thank you, too!

On Mon, Mar 17, 2008 at 3:50 PM, Jeremy Chadwick
<koitsufreebsd.org> wrote:
> On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F.
Yaraghchi wrote:
>  > When I issue 'tcpdump -netttt -i pflog0' to watch
the log in real time
>  > I'm getting pretty brief output like:
>  >
>  > 2008-03-16 11:46:45.527125 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.590116 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.652107 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.715098 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:45.777087 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:47.249281 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:50.011245 rule 0/0(match): block
in on fxp1: [|ip]
>  > 2008-03-16 11:46:52.761126 rule 0/0(match): block
in on fxp1: [|ip]
>
>  Choose a larger snaplen size for tcpdump to use, e.g.
tcpdump -s 1024.
>  Don't pick something absurdly large.
>
>  There is a discussion as to whether or not tcpdump on
FreeBSD should
>  default to using a larger snaplen size (128 would be
good).
>
>  --
>  | Jeremy Chadwick                                   
jdc at parodius.com |
>  | Parodius Networking                           http://www.parodius.com/
|
>  | UNIX Systems Administrator                     
Mountain View, CA, USA |
>  | Making life hard for others since 1977.             
    PGP: 4BD6C0CB |
>
>  _______________________________________________
>  freebsd-pffreebsd.org mailing list
>  
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>  To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>



-- 
Mit freundlichen Grüßen / with kind regards


+++ stephan f. yaraghchi

+++ lychener str. 61a
+++ 10437 berlin, germany
+++
+++ mail stephanyaraghchi.org
+++ phone +49 30 44650068
+++ cell +49 172 3111534

www.deine-stimme-gegen-armut.de
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Mon, March 17, 2008 1:50 pm, Stephan F. Yaraghchi wrote:


>
> What do I have to do to see that much info while
watching the log in real
> time?

Use the '-l' flag additionally with tcpdump and increase the
snapsize to
96 bytes with '-s'.


Regards

Greg



>
> --
> Mit freundlichen Grüßen / with kind regards
>
>
>
> +++ stephan f. yaraghchi
>
>
> +++ mail: stephan at yaraghchi dot org
>
>
> www.deine-stimme-gegen-armut.de
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>
>
>


_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"