1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
<table class="head">
<tr>
<td class="head-ltitle">NPFLOG(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">NPFLOG(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">npflog</code> — <span class="Nd">packet
filter logging interface</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="Cd">pseudo-device npflog</code></p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">npflog</code> interface is a pseudo-device
which makes visible all packets logged by the <a class="Xr">npf(7)</a>
packet filter. Logged packets can be monitored in real time by invoking
<a class="Xr">tcpdump(8)</a> on the <code class="Nm">npflog</code>
interface, or stored to disk using <a class="Xr">npfd(8)</a>.</p>
<p class="Pp">The npflog0 interface is created automatically at boot if
<a class="Xr">npf(7)</a> is enabled; further instances can be created using
<a class="Xr">ifconfig(8)</a>.</p>
<p class="Pp">Each packet retrieved on this interface has a header associated
that presently matches the format used by <a class="Xr">pf(4)</a>. This
header documents the address family, interface name, rule number, reason,
action, and direction of the packet that was logged. This structure looks
like:</p>
<div class="Bd Pp Bd-indent Li">
<pre>struct npfloghdr {
uint8_t length;
sa_family_t af;
uint8_t action;
uint8_t reason;
char ifname[IFNAMSIZ];
char ruleset[NPFLOG_RULESET_NAME_SIZE];
uint32_t rulenr;
uint32_t subrulenr;
uint32_t uid;
uint32_t pid;
uint32_t rule_uid;
uint32_t rule_pid;
uint8_t dir;
uint8_t pad[3];
};</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1>
<p class="Pp">Monitor all packets logged on the default interface:</p>
<div class="Bd Pp Bd-indent Li">
<pre># tcpdump -n -e -tttt -i npflog0</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">inet(4)</a>, <a class="Xr">inet6(4)</a>,
<a class="Xr">netintro(4)</a>, <a class="Xr">npf(7)</a>,
<a class="Xr">ifconfig(8)</a>, <a class="Xr">npfd(8)</a>,
<a class="Xr">tcpdump(8)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">npflog</code> device first appeared in
<span class="Ux">NetBSD 6.0</span>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">June 29, 2023</td>
<td class="foot-os">NetBSD 10.1</td>
</tr>
</table>
|
