PFlog

Gaby vanhegan Sun, 09 Apr 2006 05:56:44 -0700

Hi,

I'm trying to setup a system to account for the traffic that flows  
through the firewall by service (http, smtp, etc).  I have had some  
success playing with tcpdump and pf logging but I can't quite work  
out what's going on.  I have pf logging the traffic that I want to  
account for so /var/log/pflog is filling up nicely.  Taking a few  
sample lines from the output of:


        # tcpdump -n -r /var/log/pflog

13:35:07.985465 220.135.151.10.1254 > 195.224.72.148.25: S  
108231586:108231586(0) win 65535 <mss 1300,nop,nop,sackOK> (DF)
13:35:08.384197 195.224.72.148.59258 > 195.224.72.2.53:  28701+[|domain]
13:35:15.747376 24.198.33.0.3395 > 195.224.72.148.25: S  
531328580:531328580(0) win 64240 <mss 1460,nop,wscale  
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
13:35:18.025285 80.62.253.137.4452 > 195.224.72.148.80: S  
3580612744:3580612744(0) win 65535 <mss 1452,nop,nop,sackOK> (DF)
13:35:28.544158 131.165.205.101.1886 > 195.224.72.148.80: S  
2587435678:2587435678(0) win 16384 <mss 1460> (DF)
13:35:29.585572 66.154.102.108.53139 > 195.224.72.148.80: S  
1452108063:1452108063(0) win 5840 <mss 1460,sackOK,timestamp  
142976852 0,nop,wscale 0> (DF)
13:35:38.090762 82.153.166.67.1436 > 195.224.72.148.80: S  
1406992321:1406992321(0) win 65535 <mss 1452,nop,nop,sackOK> (DF)

I can't actually work out which field in these lines is the size of  
the data payload for each packet.  The first line, looks like an SMTP  
connection, the last four look like HTTP connections (incoming).   
I've read the pflog documentation, and the tcpdump documentation but  
perhaps I've missed something.  If I want to get packet sizes, I need  
to run tcpdump on the live interface (not the pflog file) with the -e  
flag, which, as the manual suggests:

    Link Level Headers
      If the -e option is given, the link level header is printed  
out.  On Eth-
      ernets, the source and destination addresses, protocol, and  
packet length
      are printed.

Which gives me packet length.  However, this is for all traffic, and  
I'm only interested in traffic that makes it through pf, or traffic  
that I specifically want to log via pf.  I have looked at tools like  
symon/symux (which I'll be using for the data logging), I don't want  
to run ntop and iplog hasn't been touched for years.  The mailing  
archive suggested IPAudit, but I'd rather use native tools if I can.

Does I have to listen to the interface directly (tcpdump -n ip) or  
can I get the packet size information from the pflog file?

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/sudoku/
http://weblog.vanhegan.net/

PFlog

Reply via email to