Quoting Joachim Schipper <[EMAIL PROTECTED]>:
On Mon, Mar 06, 2006 at 03:31:51PM -0500, [EMAIL PROTECTED] wrote:
I'm trying to use tcpdump capture traffic on the external interface of
my NAT/firewall/web/mail/etc. system in a quasi-private way,
specifically by excluding any traffic that comes from or is ultimately
destined to NAT'ed boxes. Since packets which go from or to
192.168.2.0/24 are NAT'ed before (and probably after) tcpdump sees
them, I don't believe I can accomplish this with a simple "not net
192.168.2.0/24" filter on tcpdump; thus, I've turned to the "rulenum"
or "rdr" feature of tcpdump's filter criteria, which works on packets
logged by pf(4).
I know that if I simply enable logging on all of the packets I want to
see, using pf-based tcpdump filter criteria works like a charm. The
problem I have is that doing so will make for a rather gigantic
/var/log/pflog very quickly, a situation I'd like to avoid if possible
(for disk space and possible performance issues). Thus, my question is:
is it possible to enable pf logging without writing to /var/log/pflog,
while still preserving tcpdump's ability to see packets on the pflog0
interface? Alternately, is there a better/simpler way to accomplish my
tcpdump objective of not logging packets coming from or destined to
NAT'ed boxes?
Actually, pf(4) does not log anything at all - pflogd(8) does. I
routinely run pf(4) without pflogd(8) - it allows for easy debugging
without filling the disk.
...which sounds like almost precisely what I'm trying to do. Judging
from the fact that I'm able to run "tcpdump -n -i pflog0 -w
traffic.pcap" and catch packets even after killing off pflogd(8), it
looks like you've provided me with an excellent answer. Thanks!
Alex Kirk
