OpenBSD Journal

Minimalistic tcpdump with syslog

Contributed by jose on from the exportable-transport-logs dept.

Jarkko Turkulainen has put together a minimalistic tcpdump with syslog(3) support into a modified pflogd . This can be useful for doing remote logging from a PF device, such as a small, diskless firewall. It has some drawbacks, obviously, and loses a bit of information, but in general it's an easy way for you to store your PF logs for analysis when you have no disk on your firewall. Thanks, Jarkko, and thanks Ron for finding this.

(Comments are closed)

  1. By Anonymous () on

    Why do you think PF log files are not in plain text by default?

    And in fact you can always analyse them with:

    tcpdump -n -e -ttt -r /var/log/pflog | /path/to/you/analizer

    1. By Again me () on

      Found one more in the soekris ML:

      (tcpdump -ettni pflog0 | logger -t pflog) &

    2. By David JObes () on

      I use these tools from raffey marty and the odin project to log the data to mysql and produce graphs and tables for remote monitoing. example

    3. By jose () on

      please read the story again. diskless stations. no place to store pflog output in binary format.

      i have been working on pfexport, a tool to export the pflog data in binary format to a remote reader. its almost prime time, but has a sticky bug which prevents it from working. the basic premise is like ciscos netflow, you specifiy a timeout to kick records out ... ie every second, every 30 seconds, whatever, using UDP packets.

  2. By djm () on

    There is a reason that pflogd doesn't do this by default. Look how many bugs that tcpdump has had in its packet parsing, mainly trusting network-supplied length fields in headers.

    1. By Jarkko Turkulainen () on

      And that is also why I have tried to do only a minimal amount of parsing (~ 500 lines of C code, compare that to ~ 20000 lines of tcpdump) and a setuid() after the packet capture socket open.

      OK, this doesn't mean that my method is more secure, but I hope it will if more people look at it and review the code.

  3. By Anonymous Coward () on

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]