Contributed by rueda on from the pcaps or it didnt happen dept.
Following its recent introduction on tech@
[See earlier article],
David Gwynne (dlg@)
has
committed
bpflogd(8)
to the tree:
CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/06 19:41:59 Added files: usr.sbin/bpflogd: Makefile bpflogd.8 bpflogd.c log.c log.h Log message: bpflogd(8): capture packets from BPF and write them to a log file this is like pflogd(8), but different. the main differences are:
- it can log on any type of BPF interface and DLT, not just pflog(4) - a single bpflogd can log packets from multiple BPF interfaces to the one log file - it uses libevent and non-blocking FDs instead of a blocking on pcap_dispatch in a loop with crazy signal handling - this also avoids restartable syscalls - it uses unveil and drops privs instead of chroot+privsep - this means the log file has to be writable by the user bpflogd runs as so it can reopen it after rotation. - it captures full packets by default, not just 160 bytes - you can provide a pcap-filter expression in a file - this makes the pexp handling in rc.subr a lot more robust - the .c files are about half the number of lines the reason it exists is because i needed to continously log some packets from span ports coming from multiple switches to try and help debug a network issue that only seems to occur every couple of months. pflogd provides that for a single pflog interface, but i needed it on multiple ethernet interfaces. ok deraadt@
So there it is, another nice tool for your packet scrutiny needs. As usual, the developers would like to hear back from you about your experiences using the new toy^Hol.