On Mon, Mar 06, 2006 at 03:31:51PM -0500, [EMAIL PROTECTED] wrote:
> I'm trying to use tcpdump capture traffic on the external interface of
> my NAT/firewall/web/mail/etc. system in a quasi-private way,
> specifically by excluding any traffic that comes from or is ultimately
> destined to NAT'ed boxes. Since packets which go from or to
> 192.168.2.0/24 are NAT'ed before (and probably after) tcpdump sees
> them, I don't believe I can accomplish this with a simple "not net
> 192.168.2.0/24" filter on tcpdump; thus, I've turned to the "rulenum"
> or "rdr" feature of tcpdump's filter criteria, which works on packets
> logged by pf(4).
>
> I know that if I simply enable logging on all of the packets I want to
> see, using pf-based tcpdump filter criteria works like a charm. The
> problem I have is that doing so will make for a rather gigantic
> /var/log/pflog very quickly, a situation I'd like to avoid if possible
> (for disk space and possible performance issues). Thus, my question is:
> is it possible to enable pf logging without writing to /var/log/pflog,
> while still preserving tcpdump's ability to see packets on the pflog0
> interface? Alternately, is there a better/simpler way to accomplish my
> tcpdump objective of not logging packets coming from or destined to
> NAT'ed boxes?
Actually, pf(4) does not log anything at all - pflogd(8) does. I
routinely run pf(4) without pflogd(8) - it allows for easy debugging
without filling the disk.
Joachim
