NPFD(8) | System Manager's Manual | NPFD(8) |
npfd
— packet
filter logging and state synchronization daemon
npfd |
[-D ] [-d
delay] [-f
filename] [-i
interface] [-p
pidfile] [-s
snaplen] [expression] |
npfd
is a background daemon which writes
to a file in pcap(3) format
logged packets read from an npflog interface. The npflog interface is used
by npf(7) to log packets as
defined in npf.conf(5). The
generated pcap(3) files can then
be analysed using tools such as
tcpdump(8).
npfd
closes and then re-opens the log file
when it receives SIGHUP
, permitting
newsyslog(8) to rotate
logfiles automatically. SIGALRM
causes
npfd
to flush the current logfile buffers to the
disk, thus making the most recent logs available. The buffers are also
flushed every delay seconds.
If the log file contains data after a restart or a
SIGHUP
, new logs are appended to the existing file.
If the existing log file was created with a different snaplen,
npfd
temporarily uses the old snaplen to keep the
log file consistent.
npfd
tries to preserve the integrity of
the log file against I/O errors. Furthermore, integrity of an existing log
file is verified before appending. If there is an invalid log file or an I/O
error, the log file is moved out of the way and a new one is created. If a
new file cannot be created, logging is suspended until a
SIGHUP
or a SIGALRM
is
received.
If SIGINFO
is received, then
npfd
logs capture statistics to
syslogd(8).
The options are as follows:
-D
npfd
does not disassociate from
the controlling terminal.-d
delay-f
filename-i
interfacenpfd
will use npflog0.-p
pidfile-s
snaplennpfd
.Log specific tcp packets to a different log file with a large snaplen (useful with a log-all rule to dump complete sessions):
# npfd -s 1600 -f suspicious.log port 80 and host evilhost
Log from another npflog interface, excluding specific packets:
# npfd -i npflog3 -f network3.log "not (tcp and port 23)"
Display binary logs:
# tcpdump -n -e -ttt -r /var/log/npflog0.pcap
Display the logs in real time (this does not interfere with the
operation of npfd
):
# tcpdump -n -e -ttt -i npflog0
Tcpdump has been extended to be able to filter on the OpenBSD pfloghdr structure defined in sys/net/npf/if_npflog.h. Tcpdump can restrict the output to packets logged on a specified interface, a rule number, a reason, a direction, an IP family or an action.
Display the logs in real time of inbound packets that were blocked on the wi0 interface:
# tcpdump -n -e -ttt -i npflog0 inbound and action block and on wi0
Each npf(7) rule is marked with an id number, shown using:
# npfctl show ... block final all apply "log" # id="45" ...
This id is the rule id shown by tcpdump:
# tcpdump -enr /var/log/npflog0.pcap ... 11:26:02.288199 rule 45.rules.0/0(match): block in on sk0: \ 1.2.3.4.46063 > 5.6.7.8.23231: Flags [S], seq 1, win 8192, \ options [mss 1440], length 0 ...
pcap(3), npf.conf(5), npf(7), newsyslog(8), npfctl(8), tcpdump(8)
The npfd
command appeared in
NetBSD 8.0.
This manual page was written by Can Erkin Acar <canacar@openbsd.org>.
Offline analysis of captured data is advised to alleviate issues with malicious data intended to exploit bugs in the packet parsing code of tcpdump(8).
August 7, 2018 | NetBSD 10.99 |