Thursday, May 7, 2009

Wireshark Filters for OpenBSD's PF logs

By accident I found how to create a few Wireshark filters for OpenBSD PF logs.

View by PF Rule Number: pflog.rulenr == xx (where xx is the rule number)
View only Passed Packets: pflog.action == 0
View only Blocked Packets: pflog.action == 1
View by Network Interface: pflog.ifname == "xxxx" (name of the interface in ifconfig)

This should save me some time when going over the logs.