Re: Trying to see pf's logs using tcpdump

From: Christopher Nehren <apeiron_at_comcast.net>
Date: Sat, 28 Aug 2004 18:53:15 -0400
On Sat, Aug 28, 2004 at 18:10:28 EDT, Erik U. scribbled these
curious markings:
> I installed pf from the ports, configured and ran it.
> I just get this error when trying to watch pf's logs:
> 
> [root_at_nat] ~ $ tcpdump -n -e -ttt -r /var/log/pflog

You're running the 5.2.1-RELEASE tcpdump which doesn't know anything about PF 
log files. The PF port comes with its own version of tcpdump, aptly named 
pftcpdump. If you read the documentation, you'd know this.

> Why can't they just put the logs in text not in some damn binary..

Probably because the data in question *is* binary. I suggest you read 
byteorder(3) and better familiarise yourself with the way TCP/IP networks 
function before asking such questions. Furthermore, the file format
itself is documented in pcap(3).

If any of this bewilders, confuses, or surprises you, it may not be wise
for you to use a 5.x release of FreeBSD.

-- 
I abhor a system designed for the "user", if that word is a coded
pejorative meaning "stupid and unsophisticated".  -- Ken Thompson
-
Unix is user friendly. However, it isn't idiot friendly.
Received on Sat Aug 28 2004 - 20:53:19 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:09 UTC