watching the log in real time

Jeremy Chadwick koitsu at freebsd.org
Mon Mar 17 14:50:41 UTC 2008


On Mon, Mar 17, 2008 at 02:50:18PM +0100, Stephan F. Yaraghchi wrote:
> When I issue 'tcpdump -netttt -i pflog0' to watch the log in real time
> I'm getting pretty brief output like:
> 
> 2008-03-16 11:46:45.527125 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:45.590116 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:45.652107 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:45.715098 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:45.777087 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:47.249281 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:50.011245 rule 0/0(match): block in on fxp1: [|ip]
> 2008-03-16 11:46:52.761126 rule 0/0(match): block in on fxp1: [|ip]

Choose a larger snaplen size for tcpdump to use, e.g. tcpdump -s 1024.
Don't pick something absurdly large.

There is a discussion as to whether or not tcpdump on FreeBSD should
default to using a larger snaplen size (128 would be good).

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |



More information about the freebsd-pf mailing list