Minimalistic tcpdump with syslog

Contributed by jose on 2003-03-17 from the exportable-transport-logs dept.

Jarkko Turkulainen has put together a minimalistic tcpdump with syslog(3) support into a modified pflogd . This can be useful for doing remote logging from a PF device, such as a small, diskless firewall. It has some drawbacks, obviously, and loses a bit of information, but in general it's an easy way for you to store your PF logs for analysis when you have no disk on your firewall. Thanks, Jarkko, and thanks Ron for finding this.

(Comments are closed)

Comments

By Anonymous () on 2003-03-17 13:20

Why do you think PF log files are not in plain text by default?

And in fact you can always analyse them with:

tcpdump -n -e -ttt -r /var/log/pflog | /path/to/you/analizer
Comments
1. By Again me () on 2003-03-17 13:54
  
  Found one more in the soekris ML:
  
  (tcpdump -ettni pflog0 | logger -t pflog) &
2. By David JObes () djobes@xscanners.org on 2003-03-17 16:11 http://www.xscanners.org
  
  I use these tools from raffey marty and the odin project to log the data to mysql and produce graphs and tables for remote monitoing. example http://www.xscanners.org/mason/pstat.html
3. By jose () on 2003-03-17 17:16 http://monkey.org/~jose/
  
  please read the story again. diskless stations. no place to store pflog output in binary format.
  
  i have been working on pfexport, a tool to export the pflog data in binary format to a remote reader. its almost prime time, but has a sticky bug which prevents it from working. the basic premise is like ciscos netflow, you specifiy a timeout to kick records out ... ie every second, every 30 seconds, whatever, using UDP packets.
4. By hno () on 2003-10-04 05:52 http://www.familiehein.net/
  
  Read the man page waht "-r" does. PF logs in binary format.
By djm () on 2003-03-17 22:04

There is a reason that pflogd doesn't do this by default. Look how many bugs that tcpdump has had in its packet parsing, mainly trusting network-supplied length fields in headers.
Comments
1. By Jarkko Turkulainen () on 2003-03-18 05:10
  
  And that is also why I have tried to do only a minimal amount of parsing (~ 500 lines of C code, compare that to ~ 20000 lines of tcpdump) and a setuid() after the packet capture socket open.
  
  OK, this doesn't mean that my method is more secure, but I hope it will if more people look at it and review the code.
By Anonymous Coward () on 2003-03-18 21:58

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]