From owner-freebsd-questions@FreeBSD.ORG  Tue Nov  4 19:12:42 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E86391065672
	for <freebsd-questions@freebsd.org>;
	Tue,  4 Nov 2008 19:12:42 +0000 (UTC)
	(envelope-from cpghost@cordula.ws)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 198C18FC24
	for <freebsd-questions@freebsd.org>;
	Tue,  4 Nov 2008 19:12:41 +0000 (UTC)
	(envelope-from cpghost@cordula.ws)
Received: from phenom.cordula.ws (phenom [192.168.254.60])
	by fw.farid-hajji.net (Postfix) with ESMTP id B3A5235D89;
	Tue,  4 Nov 2008 20:12:38 +0100 (CET)
Date: Tue, 4 Nov 2008 20:13:54 +0100
From: cpghost <cpghost@cordula.ws>
To: freebsd-questions@freebsd.org
Message-ID: <20081104191354.GA1819@phenom.cordula.ws>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Watching /var/log/pflog grow
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2008 19:12:43 -0000

How can I watch /var/log/pflog grow with tcpdump, "tail -f" style?

This won't work:
  $ tail -f /var/log/pflog | tcpdump -n -s 116 -r -
because tail doesn't start at the right location.

Using a blocksize (-b) with tail may also not be right,
because the captured packets are not the same size.

This seems to work:
  $ tcpdump -n -s 116 -i pflog0
but now, both tcpdump and pflogd are competing for the same
interface pflog0.

I'm afraid that in the latter case, every packet will be
  EITHER logged by pflogd
  XOR    displayed by tcpdump.
Is that so?

If yes, /var/log/pflog would be incomplete, because some packets
would have been snatched away from pflog0 by tcpdump, before
pflogd ever got a chance to read them out.

Is there a way to watch /var/log/pflog grow, while
still making sure that pflogd logs EVERY packet that appears
on the pflog0 interface? How?

Thanks
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/