NAME
npfd —
packet filter logging and state
synchronization daemon
SYNOPSIS
npfd |
[-D]
[-d delay]
[-f
filename]
[-i
interface]
[-p
pidfile]
[-s
snaplen]
[expression] |
DESCRIPTION
npfd is a background daemon which reads packets logged by
npf(7) to an npflog interface,
normally
npflog0, and writes the packets to a logfile
(normally
/var/log/npflog0.pcap) in
pcap(3) format, which can be read
by
tcpdump(8). These logs can
be reviewed later using the
-r option of
tcpdump(8), hopefully offline
in case there are bugs in the packet parsing code of
tcpdump(8).
npfd closes and then re-opens the log file when it receives
SIGHUP
, permitting
newsyslog(8) to rotate
logfiles automatically.
SIGALRM
causes
npfd to flush the current logfile buffers to the disk, thus
making the most recent logs available. The buffers are also flushed every
delay seconds.
If the log file contains data after a restart or a
SIGHUP
, new logs are appended to the existing file. If
the existing log file was created with a different snaplen,
npfd temporarily uses the old snaplen to keep the log file
consistent.
npfd tries to preserve the integrity of the log file against
I/O errors. Furthermore, integrity of an existing log file is verified before
appending. If there is an invalid log file or an I/O error, the log file is
moved out of the way and a new one is created. If a new file cannot be
created, logging is suspended until a
SIGHUP
or a
SIGALRM
is received.
If
SIGINFO
is received, then
npfd logs
capture statistics to
syslogd(8).
The options are as follows:
-
-
- -D
- Debugging mode. npfd does not
disassociate from the controlling terminal.
-
-
- -d
delay
- Time in seconds to delay between automatic flushes of the
file. This may be specified with a value between 5 and 3600 seconds. If
not specified, the default is 60 seconds.
-
-
- -f
filename
- Log output filename. Default is
/var/log/npflog0.pcap.
-
-
- -i
interface
- Specifies the npflog interface to use. By default,
npfd will use npflog0.
-
-
- -p
pidfile
- Writes a file containing the process ID of the program. The
file name has the form /var/run/npfd.pid. If the option
is not given, pidfile defaults to
npfd.
-
-
- -s
snaplen
- Analyze at most the first snaplen
bytes of data from each packet rather than the default of 116. The default
of 116 is adequate for IP, ICMP, TCP, and UDP headers but may truncate
protocol information for other protocols. Other file parsers may desire a
higher snaplen.
-
-
- expression
- Selects which packets will be dumped, using the regular
language of
tcpdump(8).
FILES
- /var/run/npfd.pid
- Process ID of the currently running
npfd.
- /var/log/npflog0.pcap
- Default log file.
EXAMPLES
Log specific tcp packets to a different log file with a large snaplen (useful
with a log-all rule to dump complete sessions):
# npfd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another npflog interface, excluding specific packets:
# npfd -i npflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/npflog0.pcap
Display the logs in real time (this does not interfere with the operation of
npfd):
# tcpdump -n -e -ttt -i npflog0.pcap
Tcpdump has been extended to be able to filter on the
OpenBSD pfloghdr structure defined in
sys/net/npf/if_npflog.h. Tcpdump can restrict the output
to packets logged on a specified interface, a rule number, a reason, a
direction, an IP family or an action.
- ip
- Address family equals IPv4.
- ip6
- Address family equals IPv6.
- ifname kue0
- Interface name equals "kue0".
- on kue0
- Interface name equals "kue0".
- ruleset rules
- Ruleset name equals "rules".
- rulenum 10
- Rule number equals 10.
- reason match
- Reason equals match.
- action pass
- Action equals pass. Also accepts "block".
- inbound
- The direction was inbound.
- outbound
- The direction was outbound.
Display the logs in real time of inbound packets that were blocked on the wi0
interface:
# tcpdump -n -e -ttt -i npflog0 inbound and action block and on wi0
Each
npf(7) rule is marked with an id
number, shown using:
# npfctl show
block final all apply "log" # id="45"
This id is the rule id shown by tcpdump:
# tcpdump -enr /var/log/npflog0.pcap
11:26:02.288199 rule 45.rules.0/0(match): block in on sk0: \
1.2.3.4.46063 > 5.6.7.8.23231: Flags [S], seq 1, win 8192, \
options [mss 1440], length 0
SEE ALSO
pcap(3),
npf.conf(5),
npf(7),
newsyslog(8),
npfctl(8),
tcpdump(8)
HISTORY
The
npfd command appeared in
NetBSD
8.0.
AUTHORS
This manual page was written by
Can Erkin Acar
<
canacar@openbsd.org>.