1.\" $NetBSD: npflog.4,v 1.2 2023/06/29 23:20:02 gutteridge Exp $ 2.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ 3.\" 4.\" Copyright (c) 2001 Tobias Weingartner 5.\" All rights reserved. 6.\" 7.\" Copyright (c) 2023 The NetBSD Foundation, Inc. 8.\" All rights reserved. 9.\" 10.\" Portions of this documentation are derived from text contributed by 11.\" David H. Gutteridge. 12.\" 13.\" Redistribution and use in source and binary forms, with or without 14.\" modification, are permitted provided that the following conditions 15.\" are met: 16.\" 1. Redistributions of source code must retain the above copyright 17.\" notice, this list of conditions and the following disclaimer. 18.\" 2. Redistributions in binary form must reproduce the above copyright 19.\" notice, this list of conditions and the following disclaimer in the 20.\" documentation and/or other materials provided with the distribution. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32.\" 33.Dd June 29, 2023 34.Dt NPFLOG 4 35.Os 36.Sh NAME 37.Nm npflog 38.Nd packet filter logging interface 39.Sh SYNOPSIS 40.Cd "pseudo-device npflog" 41.Sh DESCRIPTION 42The 43.Nm 44interface is a pseudo-device which makes visible all packets logged by 45the 46.Xr npf 7 47packet filter. 48Logged packets can be monitored in real time by invoking 49.Xr tcpdump 8 50on the 51.Nm 52interface, or stored to disk using 53.Xr npfd 8 . 54.Pp 55The npflog0 interface is created automatically at boot if 56.Xr npf 7 57is enabled; 58further instances can be created using 59.Xr ifconfig 8 . 60.Pp 61Each packet retrieved on this interface has a header associated 62that presently matches the format used by 63.Xr pf 4 . 64This header documents the address family, interface name, rule 65number, reason, action, and direction of the packet that was logged. 66This structure looks like: 67.Bd -literal -offset indent 68struct npfloghdr { 69 uint8_t length; 70 sa_family_t af; 71 uint8_t action; 72 uint8_t reason; 73 char ifname[IFNAMSIZ]; 74 char ruleset[NPFLOG_RULESET_NAME_SIZE]; 75 uint32_t rulenr; 76 uint32_t subrulenr; 77 uint32_t uid; 78 uint32_t pid; 79 uint32_t rule_uid; 80 uint32_t rule_pid; 81 uint8_t dir; 82 uint8_t pad[3]; 83}; 84.Ed 85.Sh EXAMPLES 86Monitor all packets logged on the default interface: 87.Bd -literal -offset indent 88# tcpdump -n -e -tttt -i npflog0 89.Ed 90.Sh SEE ALSO 91.Xr inet 4 , 92.Xr inet6 4 , 93.Xr netintro 4 , 94.Xr npf 7 , 95.Xr ifconfig 8 , 96.Xr npfd 8 , 97.Xr tcpdump 8 98.Sh HISTORY 99The 100.Nm 101device first appeared in 102.Nx 6.0 . 103