pflogd is a background daemon which reads packets logged by
pf(4) to a
pflog(4) interface, normally
pflog0, and writes the packets to a logfile (normally
/var/log/pflog) in
tcpdump(8) binary format. These logs can be reviewed later using the
-r option of
tcpdump(8), hopefully offline in case there are bugs in the packet parsing code of
tcpdump(8).
pflogd closes and then re-opens the log file when it receives
SIGHUP, permitting
newsyslog(8) to rotate logfiles automatically.
SIGALRM causes
pflogd to flush the current logfile buffers to the disk, thus making the most recent logs available. The buffers are also flushed every
delay seconds.
If the log file contains data after a restart or a
SIGHUP, new logs are appended to the existing file. If the existing log file was created with a different snaplen,
pflogd temporarily uses the old snaplen to keep the log file consistent.
pflogd tries to preserve the integrity of the log file against I/O errors. Furthermore, integrity of an existing log file is verified before appending. If there is an invalid log file or an I/O error, the log file is moved out of the way and a new one is created. If a new file cannot be created, logging is suspended until a
SIGHUP or a
SIGALRM is received.
The options are as follows:
-D
Debugging mode. pflogd does not disassociate from the controlling terminal.
-d delay
Time in seconds to delay between automatic flushes of the file. This may be specified with a value between 5 and 3600 seconds. If not specified, the default is 60 seconds.
-f filename
Log output filename. Default is /var/log/pflog.
-i interface
Specifies the
pflog(4) interface to use. By default,
pflogd will use
pflog0.
-p pidfile
Writes a file containing the process ID of the program. The file name has the form /var/run/pidname.pid. If the option is not given, pidfile defaults to pflogd.
-s snaplen
Analyze at most the first snaplen bytes of data from each packet rather than the default of 116. The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may truncate protocol information for other protocols. Other file parsers may desire a higher snaplen.
-x
Check the integrity of an existing log file, and return.
expression
Selects which packets will be dumped, using the regular language of
tcpdump(8).