Jason, I think what you want is the pflog0 interface.
-- James Records | Principle Network Engineer M 425.984.4349 E [email protected] W www.northshoresoftware.com On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron <[email protected]> wrote: > ** > Yes the interface for packet capture is nice for a interactive quick look, > but it is not a solution for an automated ingest system for 24x7 capture. > > regarding the logs: > > > {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule > 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags > [DF], proto UDP (17), length 66) > > {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 > > 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) > > the detail is insufficient. I tried *Show raw filter logs, but there > does not seem to be any apprciable difference. I have a backend system (IDS > type of thing) which ingests pcap data as well as syslog, in this case the > syslog from the pfSesne is to light weight.* > > *can I sniff the bridge [*BRIDGE0*]?* > > *-Jason* > > ------------------------------ > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Trevor Benson > *Sent:* Sunday, April 28, 2013 10:14 > *To:* pfSense support and discussion > *Subject:* Re: [pfSense] Packet capture > > Have you tried using the built in packet capture under diagnostics? This > will clean up your ssh traffic, which is what I assume you mean by tcpdump > recursice traffic. Plus you can download a pcap to examine more closely in > wireshark. > > As for traffic denied by the firewall have you tried looking at the > firewall logs? > > Trevor > On Apr 28, 2013 5:47 AM, "Jason Pyeron" <[email protected]> wrote: > >> I am looking to capture all the packets that are traversing and >> attempting to >> traverse the firewall. >> >> If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN >> then I >> only get the packets that made it past the firewall plus the recursive >> traffic >> of my pcap data leaving the firewall too. >> >> This is telling me I should be using another port, but still does not >> help me >> separate the pcap data into 2 buckets: >> >> 1: blocked >> 2: not blocked >> >> Any suggestions? >> >> > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100 - > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
