Pfctl -s states like tail -f
-
hi
is there a way I can simulate the tail -f with pfctl so that I can see live what's happening?I don't like pftop, I'd like to be able to see lines as text (not ncurses) so I can redirect text to file.log and grep after one day
please help me
thanks
-
Why can't you just pipe it?
pfctl - s states | tailedit- fix typos
-
If I run this command, I see the states, and then it get into shell prompt again
I'd like to have it running so that if a new state if made, I see a newline at the screen
-
You might try using:
pftop -ro ageOr other sorting options may suit you better.
Steve
-
no, I don't want to use pftop
I want something text only, so that new lines are added one after others
something like tail -f /var/log/messages
(it's a text only system)
I would need something like this
-
pfTop is text only:
pfTop: Up State 1-52/612, View: default, Order: age (rev), Cache: 10000 17:01:32 PR DIR SRC DEST STATE AGE EXP PKTS BYTES tcp In 172.27.10.238:54238 172.21.16.1:10050 SYN_SENT:ESTABLISHED 00:00:00 00:15:00 2 120 tcp In 172.27.10.238:54248 172.21.16.1:10050 SYN_SENT:ESTABLISHED 00:00:00 00:15:00 2 120 ipv6-icmp Out fe80::1:1[0] fe80::208:a2ff:fe09:3709[ NO_TRAFFIC:NO_TRAFFIC 00:00:00 00:00:20 1 72 ipv6-icmp In fe80::208:a2ff:fe09:3709[ fe80::1:1[49152] NO_TRAFFIC:NO_TRAFFIC 00:00:00 00:00:20 1 64 tcp In 172.27.10.238:54130 172.21.16.1:10050 FIN_WAIT_2:FIN_WAIT_2 00:00:01 00:02:59 10 574 tcp In 172.27.10.238:54014 172.21.16.1:10050 FIN_WAIT_2:FIN_WAIT_2 00:00:02 00:02:59 10 605 tcp In 172.27.10.238:54020 172.21.16.1:10050 FIN_WAIT_2:FIN_WAIT_2 00:00:02 00:02:58 11 622 tcp In 172.27.10.238:54026 172.21.16.1:10050 FIN_WAIT_2:FIN_WAIT_2 00:00:02 00:02:59 10 608 tcp In 172.27.10.238:53904 172.21.16.1:10050 FIN_WAIT_2:FIN_WAIT_2 00:00:03 00:02:57 10 581You mean you need a file of single text lines with no header?
What are you wanting to do with this?
Steve
-
"so I can redirect text to file.log and grep after one day"
Seems like he wants to log every state as created..
-
Ha, it would help if I managed to read the first post in it's entirety I guess. ::)
Ok….
-
-
wouldn't it just be easier to log your allowed traffic and send that to syslog?
-
for me it's easier to read
-
There is no way to do what you're after as-is.
You could maybe rig something up with just the right tcpdump parameters against the pflog interface or maybe use pfsync in some way, but we don't have anything in place that would log state activity in a way that would give you what you're after.
-
You could possibly look at how the pflogd daemon is implemented and roll your own version that does the same for the state tables.
https://svnweb.freebsd.org/base/releng/11.1/contrib/pf/pflogd/
-
Mmm, that may be possible. Seems quite extreme though. ;)
I would think that adding logging and an appropriate description on the pass rules you want to know about would allow you filter exported logs. Simply exporting them to a log analyser may be good enough for what you want to see.
Steve
-
Simply exporting them to a log analyser may be good enough for what you want to see.
is there a free log analyser for pfsense log?
-
Graylog seems pretty popular though I've not used it myself.
There are a number of detailed write-ups out there for different solutions, I guess it depends how deep you want to go.
Steve
-
no updates?
in linux thereis conntrack -E command which does what I need
no alternative for pfsense?
