On Tue, 1 Mar 2005 16:59:53 -0600, eric <[EMAIL PROTECTED]> wrote: > On Wed, 2005-03-02 at 11:22:15 +1300, Russell Fulton proclaimed... > > I want to monitor the output from pflog in more or less real time. It > > isn't clear to me what is the best (read simplest ;) way to do this. > > What I really want is a version of tcpdump that will effectively do a > > tail -f on /var/log/pf. Ideally it would cope with logfile rollovers > > too. > > What was wrong with watching the pflog interface? > > Actually, you bring up an interesting idea; multiple interfaces for logging. > > Is there any possibility that a far-off-wish-list couple include the ability > to route packets from a pflog device onto the wire and then monitor that > traffic? Say on a monitor network or something like that. It'd be helpful > for those of us who are looking at clusters and several firewalls :)
IIRC, this is exactly what 'dup-to' is designed for. It is important to note that dup-to works *exactly* like route-to, which means that the *ether* frame (assuming the dup-to destination is a hop via Ethernet) will be recreated (with the MAC of the dup-to destination) but the IP payload will be exactly the same as the packet being dup'd, including the original destination IP. Incautious use of dup-to will create routing loops and generally confuse the heck out of your network admins. This may be considered to be a feature. KK