Wandering Thoughts archives

2023-03-06

Special tcpdump filtering options for OpenBSD's pflog interface

One of the convenient things that OpenBSD's pf packet filtering system can do is log packets of interest, as covered in the Packet Filtering section of the pf.conf manual page. These packets are logged to a special pflog network interface (where a daemon will generally write them to disk). Since this is a network interface, you can monitor traffic on it with OpenBSD's version of tcpdump (or use tcpdump to read the log file).

As part of this, the OpenBSD tcpdump has some special additional filtering options that are useful for selecting interesting traffic on this pf logging interface. These are covered in pcap-filter; many or all of them can be found by searching for mentions of pf(4). Here are the most notable ones that I want to remember.

action <something>
Matches if PF blocked, passed, nat'd, or did whatever to a particular packet. Using 'action block' or 'action pass' can significantly reduce your confusion if you have a mixture of pass and block pf rules that log traffic, as we do. Because we have such a mix, I'm trying to condition myself to always use 'action block' as part of tcpdump'ing pflog0.

(For example, you might be passing and logging some traffic so that you can see how much of it you have.)

inbound or outbound
I believe that these have the same meaning as in pfctl -ss output. If you match in 'inbound' packets, you'll match only things logged by 'in' rules; if you match on 'outbound' packets, you'll match only things logged by 'out' rules. Or at least you'll match when packets are logged as they come in versus when they're logged as they get sent out.

on <interface>
This matches packets that came from a specific interface, regardless of what sort of rule caused them to be logged. With appropriate interface names, this may better correspond to what you think of as 'inbound' or 'outbound'.

rnr <number>
This matches a specific rule number, but at this point your life gets a little tricky because you have to find out the number of the rule you want. The easiest way to do this is to run 'pfctl -vv -s rules | grep @' and then find your rule or rules of interest. This also doesn't help you if the rule number has changed from when the packet was logged (for example because you've changed your pf.conf). You can use 'rulenum' as a synonym for this.

(At least things have gotten better here than they used to be in 2011.)

I believe that 'action block' is pretty safe, but if you want 'everything but blocked' you may want to just use 'not action block' rather than trying to figure out which other actions your specific configuration of rules needs you to use.

Our OpenBSD pflog0 interfaces appear to only log a relatively modest amount of packet data; it's often not enough to do things like completely reconstruct many DNS replies. I'm not sure how you increase the packet size for pflog0 itself, unless it's controlled by the '-s snaplen' argument of pflogd (which I initially read as controlling how much of the packet data from pflog0 would be saved to the log file).

unix/OpenBSDPflogTcpdump written at 22:02:40; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.