Special tcpdump filtering options for OpenBSD's pflog interface
One of the convenient things that OpenBSD's pf packet filtering system can do is log packets of interest, as covered in the Packet Filtering section of the pf.conf manual page. These packets are logged to a special pflog network interface (where a daemon will generally write them to disk). Since this is a network interface, you can monitor traffic on it with OpenBSD's version of tcpdump (or use tcpdump to read the log file).
As part of this, the OpenBSD tcpdump has some special additional filtering options that are useful for selecting interesting traffic on this pf logging interface. These are covered in pcap-filter; many or all of them can be found by searching for mentions of pf(4). Here are the most notable ones that I want to remember.
- Matches if PF blocked, passed, nat'd, or
did whatever to a particular packet. Using '
action block' or '
action pass' can significantly reduce your confusion if you have a mixture of pass and block pf rules that log traffic, as we do. Because we have such a mix, I'm trying to condition myself to always use 'action block' as part of tcpdump'ing pflog0.
(For example, you might be passing and logging some traffic so that you can see how much of it you have.)
- I believe that these have the same
meaning as in pfctl -ss output. If you
match in 'inbound' packets, you'll match only things logged by
'in' rules; if you match on 'outbound' packets, you'll match only
things logged by 'out' rules. Or at least you'll match when packets
are logged as they come in versus when they're logged as they get
- This matches packets that came from a specific
interface, regardless of what sort of rule caused them to be
logged. With appropriate interface names, this may better
correspond to what you think of as 'inbound' or 'outbound'.
- This matches a specific rule number, but at
this point your life gets a little tricky because you have to find
out the number of the rule you want. The easiest way to do this is
to run '
pfctl -vv -s rules | grep @' and then find your rule or rules of interest. This also doesn't help you if the rule number has changed from when the packet was logged (for example because you've changed your pf.conf). You can use '
rulenum' as a synonym for this.
I believe that '
action block' is pretty safe, but if you want
'everything but blocked' you may want to just use '
not action block'
rather than trying to figure out which other actions your specific
configuration of rules needs you to use.
Our OpenBSD pflog0 interfaces appear to only log a relatively modest amount of packet data; it's often not enough to do things like completely reconstruct many DNS replies. I'm not sure how you increase the packet size for pflog0 itself, unless it's controlled by the '-s snaplen' argument of pflogd (which I initially read as controlling how much of the packet data from pflog0 would be saved to the log file).