The PF log daemon, pflogd, writes packets that PF sends to a capture datalink to a log in libpcap binary file format. Logging is enabled by the log action per rule and is optional. For log options, see log entry in Packet Filter Rule Optional Actions.
The pflogd daemon runs as the svc:/network/firewall/pflog SMF service. By default, the log action sends packets to the pflog0 datalink. The packets are written by the pflog:default service instance to a pflog0.pkt log file in the /var/log/firewall/pflog directory.
The pflog service adds selective filtering to PF's default logging:
Packets that are intercepted at the capture link can be further filtered by BPF (Berkeley Packet Filter). This filtering is configured by a userland application such as pflog or tcpdump or Wireshark, to select just a subset of the captured packets for logging.
Because the BPF filter drops unwanted captured packets in the kernel, filtering saves CPU cycles. Those packets are not copied to userland.