| PFLOGD(8) | System Manager's Manual | PFLOGD(8) | 
pflogd —
| pflogd | [ -Dx]
      [-ddelay]
      [-ffilename]
      [-iinterface]
      [-ppidfile]
      [-ssnaplen]
      [expression] | 
pflogd is a background daemon which reads packets logged
  by pf(4) to a
  pflog(4) interface, normally
  pflog0, and writes the packets to a logfile (normally
  /var/log/pflog) in
  tcpdump(8) binary format. These
  logs can be reviewed later using the -r option of
  tcpdump(8), hopefully offline
  in case there are bugs in the packet parsing code of
  tcpdump(8).
pflogd closes and then re-opens the log
    file when it receives SIGHUP, permitting
    newsyslog(8) to rotate
    logfiles automatically. SIGALRM causes
    pflogd to flush the current logfile buffers to the
    disk, thus making the most recent logs available. The buffers are also
    flushed every delay seconds.
If the log file contains data after a restart or a
    SIGHUP, new logs are appended to the existing file.
    If the existing log file was created with a different snaplen,
    pflogd temporarily uses the old snaplen to keep the
    log file consistent.
pflogd tries to preserve the integrity of
    the log file against I/O errors. Furthermore, integrity of an existing log
    file is verified before appending. If there is an invalid log file or an I/O
    error, the log file is moved out of the way and a new one is created. If a
    new file cannot be created, logging is suspended until a
    SIGHUP or a SIGALRM is
    received.
The options are as follows:
-Dpflogd does not disassociate from
      the controlling terminal.-d
    delay-f
    filename-i
    interfacepflogd will use
      pflog0.-p
    pidfile-s
    snaplen-xpflogd.# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another pflog(4) interface, excluding specific packets:
# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/pflog
Display the logs in real time (this does not interfere with the
    operation of pflogd):
# tcpdump -n -e -ttt -i pflog0
Tcpdump has been extended to be able to filter on the pfloghdr structure defined in ⟨net/if_pflog.h⟩. Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action.
Display the logs in real time of inbound packets that were blocked on the wi0 interface:
# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
pflogd command appeared in OpenBSD
  3.0.
pflogd was written by Can Erkin
  Acar
  <canacar@openbsd.org>.
| May 31, 2007 | NetBSD 10.1 |