I have asked myself the same question.
When runninng tcpdump -n -i pflog0 with the -e -v flags (and only in
that combination), it outputs tuples that looks like they should be a
uid and pid:
16:40:47.110033 rule 2/(match) [uid 0, pid 92257] block in on trunk0: ...
(it's 92257 on the machine this example is from, but is different on
other machines)
The pid that "pid" references does not show up in any invocation of ps
(-A, -a, -H, -k). It's also not mentioned in tcpdump[8].
pflog[4] does mention a uid_t uid and pid_t pid field in the pfloghdr
struct, but does not say where the values come from.
When I reload the pf ruleset with pfctl, the number in the pid field
changes. So my assumption is that it is the pid of the pfctl process
that inserted the rule. Is that correct?
thx /m
On 3/5/24 15:45, Theo de Raadt wrote:
What are you expecting here??
ofthecentury <ofthecent...@gmail.com> wrote:
Yes, I'm tcdupming pflog and ALL my dropped packets
reference some PID 6504 that is not found among
the processes that are running.