Pfctl -s states like tail -f

tonysud

If I run this command, I see the states, and then it get into shell prompt again

I'd like to have it running so that if a new state if made, I see a newline at the screen

stephenw10

You might try using:

pftop -ro age

Or other sorting options may suit you better.

Steve

tonysud

no, I don't want to use pftop

I want something text only, so that new lines are added one after others

something like tail -f /var/log/messages
(it's a text only system)
I would need something like this

stephenw10

pfTop is text only:

pfTop: Up State 1-52/612, View: default, Order: age (rev), Cache: 10000                                                17:01:32

PR        DIR SRC                       DEST                               STATE                AGE       EXP     PKTS    BYTES
tcp       In  172.27.10.238:54238       172.21.16.1:10050            SYN_SENT:ESTABLISHED  00:00:00  00:15:00        2      120
tcp       In  172.27.10.238:54248       172.21.16.1:10050            SYN_SENT:ESTABLISHED  00:00:00  00:15:00        2      120
ipv6-icmp Out fe80::1:1[0]              fe80::208:a2ff:fe09:3709[  NO_TRAFFIC:NO_TRAFFIC   00:00:00  00:00:20        1       72
ipv6-icmp In  fe80::208:a2ff:fe09:3709[ fe80::1:1[49152]           NO_TRAFFIC:NO_TRAFFIC   00:00:00  00:00:20        1       64
tcp       In  172.27.10.238:54130       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:01  00:02:59       10      574
tcp       In  172.27.10.238:54014       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:59       10      605
tcp       In  172.27.10.238:54020       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:58       11      622
tcp       In  172.27.10.238:54026       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:59       10      608
tcp       In  172.27.10.238:53904       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:03  00:02:57       10      581

You mean you need a file of single text lines with no header?

What are you wanting to do with this?

Steve

johnpoz

"so I can redirect text to file.log and grep after one day"

Seems like he wants to log every state as created..

stephenw10

Ha, it would help if I managed to read the first post in it's entirety I guess.  ::)

Ok….

tonysud

@johnpoz:

Seems like he wants to log every state as created..

YES, It's exactly what I want to do

johnpoz

wouldn't it just be easier to log your allowed traffic and send that to syslog?

tonysud

for me it's easier to read

jimp

There is no way to do what you're after as-is.

You could maybe rig something up with just the right tcpdump parameters against the pflog interface or maybe use pfsync in some way, but we don't have anything in place that would log state activity in a way that would give you what you're after.

kpa

You could possibly look at how the pflogd daemon is implemented and roll your own version that does the same for the state tables.

https://svnweb.freebsd.org/base/releng/11.1/contrib/pf/pflogd/

stephenw10

Mmm, that may be possible. Seems quite extreme though.  ;)

I would think that adding logging and an appropriate description on the pass rules you want to know about would allow you filter exported logs. Simply exporting them to a log analyser may be good enough for what you want to see.

Steve

tonysud

Simply exporting them to a log analyser may be good enough for what you want to see.

is there a free log analyser for pfsense log?

stephenw10

Graylog seems pretty popular though I've not used it myself.

There are a number of detailed write-ups out there for different solutions, I guess it depends how deep you want to go.

Steve

tonysud

no updates?
in linux thereis conntrack -E command which does what I need
no alternative for pfsense?