The PF log daemon, pflogd, writes packets that PF sends to a capture datalink to a log in libpcap binary file format. Logging is enabled by the log action per rule and is optional. For log options, see log entry in Packet Filter Rule Optional Actions.
The pflogd daemon runs as the svc:/network/firewall/pflog SMF service. By default, the log action sends packets to the pflog0 datalink. The packets are written by the pflog:default service instance to a pflog0.pkt log file in the /var/log/firewall/pflog directory.
The pflog service adds selective filtering to PF's default logging:
PF sends packets that are logged due to a log action to the specified capture link. If the action does not specify a link, PF uses pflog0 by default.
Packets that are intercepted at the capture link can be further filtered by BPF (Berkeley Packet Filter). This filtering is configured by a userland application such as pflog or tcpdump or Wireshark, to select just a subset of the captured packets for logging.
By logging desired packets only, the PF administrator reduces CPU cycles, because when the the rule is applied in the kernel, it is not routed through userland.
For ways to customize packet logging, see Using Packet Filter Logging and the pflogd(1M) man page.