Date: Tue, 4 Nov 2008 20:13:54 +0100 From: cpghost <cpghost@cordula.ws> To: freebsd-questions@freebsd.org Subject: Watching /var/log/pflog grow Message-ID: <20081104191354.GA1819@phenom.cordula.ws>
next in thread | raw e-mail | index | archive | help
How can I watch /var/log/pflog grow with tcpdump, "tail -f" style? This won't work: $ tail -f /var/log/pflog | tcpdump -n -s 116 -r - because tail doesn't start at the right location. Using a blocksize (-b) with tail may also not be right, because the captured packets are not the same size. This seems to work: $ tcpdump -n -s 116 -i pflog0 but now, both tcpdump and pflogd are competing for the same interface pflog0. I'm afraid that in the latter case, every packet will be EITHER logged by pflogd XOR displayed by tcpdump. Is that so? If yes, /var/log/pflog would be incomplete, because some packets would have been snatched away from pflog0 by tcpdump, before pflogd ever got a chance to read them out. Is there a way to watch /var/log/pflog grow, while still making sure that pflogd logs EVERY packet that appears on the pflog0 interface? How? Thanks -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081104191354.GA1819>