Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022

pflogd (8)


pflogd - packet filter logging daemon


pflogd [-C new-pflog-instance-name | -c pflog-instance-name] [-d delay]
[-f filename] [-i interface] [-s snaplen] [expression]


PFLOGD(8)                 BSD System Manager's Manual                PFLOGD(8)

     pflogd -- packet filter logging daemon

     pflogd [-C new-pflog-instance-name | -c pflog-instance-name] [-d delay]
            [-f filename] [-i interface] [-s snaplen] [expression]

     pflogd is a background daemon which reads packets logged by pf(4) to a
     dedicated capture link interface (see dladm(1M) for details), normally
     pflog0, and writes the packets to a logfile (normally
     /var/log/firewall/pflog/pflog0.pkt) in libpcap format (see PCAP(3pcap)
     for details).  These logs can be reviewed later using the -r option of
     tcpdump(8), hopefully offline in case there are bugs in the packet pars-
     ing code of tcpdump(8).

     pflogd closes and then re-opens the log file when it receives SIGHUP,
     permitting convenient log rotation.  SIGALRM causes pflogd to flush the
     current logfile buffers to the disk, thus making the most recent logs
     available.  The buffers are also flushed every delay seconds.

     If the log file contains data after a restart or a SIGHUP, new logs are
     appended to the existing file.  If the existing log file was created with
     a different snaplen, pflogd temporarily uses the old snaplen to keep the
     log file consistent.

     pflogd tries to preserve the integrity of the log file against I/O
     errors.  Furthermore, integrity of an existing log file is verified
     before appending.  If there is an invalid log file or an I/O error, the
     log file is moved out of the way and a new one is created.  If a new file
     cannot be created, logging is suspended until a SIGHUP or a SIGALRM is

     pflogd will also log the pcap statistics for the capture link interface
     to syslog when a SIGUSR1 is received.

     The options are as follows:

     -C new-pflog-instance-name
             Creates a new pflogd instance with the specified name. If addi-
             tional options are used to specify configuration, it is stored
             into the smf(7) repository. Default values are used for smf(7)
             properties unless overriden by a command-line option. The excep-
             tion is pflog/interface (set to equal the instance name) and
             pflog/logfile (set to a file with name equal to the instance name
             followed by the .pkt extension located inside the
             /var/log/firewall/pflog/ directory) if the service instance name
             forms a valid linkname. If the service instance name is not a
             valid linkname, the values must be given explicitly.

     -c pflog-instance-name
             Shows/changes the configuration of the given pflogd instance in
             smf(7) repository. Attributes specified by additional options are
             placed into the smf(7) repository.

     -d delay
             Time in seconds to delay between automatic flushes of the file.
             This may be specified with a value between 5 and 3600 seconds.
             If not specified, the default is 60 seconds.

     -f filename
             Log output filename. When neither -C nor -c is used, the default
             value pflog.pkt is used.

     -i interface
             Specifies the capture link interface to use.  When neither -C nor
             -c is used, the default value pflog0 is assumed.

     -s snaplen
             Analyze at most the first snaplen bytes of data from each packet
             rather than the default of 160.  The default of 160 is adequate
             for IP, ICMP, TCP, and UDP headers but may truncate protocol
             information for other protocols.  Other file parsers may desire a
             higher snaplen.

             Selects which packets will be dumped, using the regular language
             of tcpdump(8).  Tcpdump has been extended to be able to filter on
             the pfloghdr structure defined in <net/if_pflog.h>.  It can
             restrict the output to packets logged on a specified interface, a
             rule number, a reason, a direction, an IP family or an action.

                ip                 Address family equals IPv4.
                ip6                Address family equals IPv6.
                ifname kue0        Interface name equals "kue0".
                on kue0            Interface name equals "kue0".
                ruleset authpf     Ruleset name equals "authpf".
                rulenum 10         Rule number equals 10.
                reason match       Reason equals match.  Also accepts "bad-
                                   offset", "fragment", "short", "normalize",
                                   "memory", "bad-timestamp", "congestion",
                                   "ip-option", "proto-cksum", "state-mis-
                                   match", "state-insert", "state-limit",
                                   "src-limit", and "synproxy".
                action pass        Action equals pass.  Also accepts "block"
                                   and "match".
                inbound            The direction was inbound.
                outbound           The direction was outbound.

     The pflogd daemon must be started as an smf(7) service with the following


     Command line options described above are set via the following smf(7)
        pflog/delay      Automatic flush interval.  The default value is 60.
                         Used as the argument for the -d option.
        pflog/filter     Packet filter expression in tcpdump(8) format.  No
                         expression is defined by default.
        pflog/interface  The capture link name from which to read packets.
                         Used as the argument for the -i option.
        pflog/logfile    Path to the logfile (for security reasons, only paths
                         starting by the /var/log/firewall/ directory are
                         allowed.  Used as the argument for the -f option.
        pflog/snaplen    An upper bound on how many bytes from each packet to
                         analyze.  The default value is 160.  Used as the
                         argument for the -s option.

     The start method creates a (temporal) capture link the particular
     instance is using.

     The refresh method sends SIGHUP to pflogd owned by particular service

     Log specific TCP packets to a different log file with a large snaplen
     (useful with a "log all" rule to dump complete sessions):

           # pflogd -s 1600 -f suspicious.log port 80 and host evilhost

     Log from another capture link interface, excluding specific packets:

           # pflogd -i pflog3 -f network3.log "not (tcp and port 23)"

     Display binary logs:

           # tcpdump -n -e -ttt -r /var/log/firewall/pflog/pflog3.pkt

     Display the logs in real time (this does not interfere with the operation
     of pflogd):

           # tcpdump -n -e -ttt -i pflog0

     Display the logs in real time of inbound packets that were blocked on the
     wi0 interface:

           # tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0

     The pflogd daemon is a privilege-aware application which runs as the
     ``daemon'' user possessing PRIV_NET_OBSERVABILITY privilege that is
     required for using bpf(7d) to read packets. See privileges(7) for
     details.  The service start method uses dladm(8) to create capture link
     if it does not exist already.

     To configure the pflogd service one has to obtain the
     solaris.smf.value.network.firewall authorization.  To manage the service
     (disable/enable/refresh) one must have the
     solaris.smf.manage.network.firewall authorization.  Both authorizations
     are granted through the Network Firewall Management profile.  To create
     new service instances, you need the solaris.smf.modify authorization.

     See attributes(7) for descriptions of the following attributes:

     |ATTRIBUTE TYPE |        ATTRIBUTE VALUE          |
     |Availability   | network/firewall/firewall-pflog |
     |Stability      | Volatile                        |

     pcap(3), pf.conf(5), privileges(7), smf(7), tcpdump(8)

     The pflogd command appeared in OpenBSD 3.0.  The Solaris version is based
     on pflogd found in OpenBSD 5.5.

     pflogd was written by Can Erkin Acar <canacar@openbsd.org>.

     Source code for open source software components in Oracle Solaris can be
     found at https://www.oracle.com/downloads/opensource/solaris-source-code-

     This software was built from source available at https://github.com/ora-
     cle/solaris-userland.  The original community source was downloaded from

     Further information about this software can be found on the open source
     community website at http://www.openbsd.org.

BSD                            January 21, 2014                            BSD