"Joel Gudknecht" <[EMAIL PROTECTED]> writes: > rdr pass log on $ext_if proto tcp to port smtp -> $host
this only gives you the initial packet. for tracking traffic you probably want to look at log (all). > I've tried analyzing pflogs using ethereal/wireshark but could not get > specifics about IP's and connection rates from it. I've also looked at > ntop and pftop, which looks good for real-time monitoring but I don't > think they apply for what I'm trying to do. the output of something like tcpdump -n -e -ttt -v -i pflog0 gives you quite a bit of data to play with if you want to do your own parsing, but > I'd like to generate a sorted list of top bandwidth hogs and their IP > addresses. for that purpose, the more promising path is probably to use labels with the $srcaddr macro in them, and collect your statistics at regular intervals for processing. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.