Pfctl -s states like tail -f



  • hi
    is there a way I can simulate the tail -f with pfctl so that I can see live what's happening?

    I don't like pftop, I'd like to be able to see lines as text  (not ncurses) so I can redirect text to file.log and grep after one day

    please help me
    thanks



  • Why can't you just pipe it?
    pfctl - s states | tail

    edit- fix typos



  • If I run this command, I see the states, and then it get into shell prompt again

    I'd like to have it running so that if a new state if made, I see a newline at the screen


  • Netgate Administrator

    You might try using:

    pftop -ro age
    

    Or other sorting options may suit you better.

    Steve



  • no, I don't want to use pftop

    I want something text only, so that new lines are added one after others

    something like tail -f /var/log/messages
    (it's a text only system)
    I would need something like this


  • Netgate Administrator

    pfTop is text only:

    pfTop: Up State 1-52/612, View: default, Order: age (rev), Cache: 10000                                                17:01:32
    
    PR        DIR SRC                       DEST                               STATE                AGE       EXP     PKTS    BYTES
    tcp       In  172.27.10.238:54238       172.21.16.1:10050            SYN_SENT:ESTABLISHED  00:00:00  00:15:00        2      120
    tcp       In  172.27.10.238:54248       172.21.16.1:10050            SYN_SENT:ESTABLISHED  00:00:00  00:15:00        2      120
    ipv6-icmp Out fe80::1:1[0]              fe80::208:a2ff:fe09:3709[  NO_TRAFFIC:NO_TRAFFIC   00:00:00  00:00:20        1       72
    ipv6-icmp In  fe80::208:a2ff:fe09:3709[ fe80::1:1[49152]           NO_TRAFFIC:NO_TRAFFIC   00:00:00  00:00:20        1       64
    tcp       In  172.27.10.238:54130       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:01  00:02:59       10      574
    tcp       In  172.27.10.238:54014       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:59       10      605
    tcp       In  172.27.10.238:54020       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:58       11      622
    tcp       In  172.27.10.238:54026       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:02  00:02:59       10      608
    tcp       In  172.27.10.238:53904       172.21.16.1:10050          FIN_WAIT_2:FIN_WAIT_2   00:00:03  00:02:57       10      581
    

    You mean you need a file of single text lines with no header?

    What are you wanting to do with this?

    Steve


  • LAYER 8 Global Moderator

    "so I can redirect text to file.log and grep after one day"

    Seems like he wants to log every state as created..


  • Netgate Administrator

    Ha, it would help if I managed to read the first post in it's entirety I guess.  ::)

    Ok….



  • @johnpoz:

    Seems like he wants to log every state as created..

    YES, It's exactly what I want to do


  • LAYER 8 Global Moderator

    wouldn't it just be easier to log your allowed traffic and send that to syslog?



  • for me it's easier to read


  • Rebel Alliance Developer Netgate

    There is no way to do what you're after as-is.

    You could maybe rig something up with just the right tcpdump parameters against the pflog interface or maybe use pfsync in some way, but we don't have anything in place that would log state activity in a way that would give you what you're after.



  • You could possibly look at how the pflogd daemon is implemented and roll your own version that does the same for the state tables.

    https://svnweb.freebsd.org/base/releng/11.1/contrib/pf/pflogd/


  • Netgate Administrator

    Mmm, that may be possible. Seems quite extreme though.  ;)

    I would think that adding logging and an appropriate description on the pass rules you want to know about would allow you filter exported logs. Simply exporting them to a log analyser may be good enough for what you want to see.

    Steve



  • Simply exporting them to a log analyser may be good enough for what you want to see.

    is there a free log analyser for pfsense log?


  • Netgate Administrator

    Graylog seems pretty popular though I've not used it myself.

    There are a number of detailed write-ups out there for different solutions, I guess it depends how deep you want to go.

    Steve



  • no updates?
    in linux thereis conntrack -E command which does what I need
    no alternative for pfsense?


Log in to reply