Saturday, August 1, 2009

TCPDUMP Filter on OpenBSD PF Rule Number

Normally to see a current status of PF on OpenBSD you run the following:

$ sudo tcpdump -nettti pflog0

This will display all the traffic you're logging, however if you only want to view specific traffic from a certain rule you have to apply the rule number filter. Since tcpdump has access to the link-level header information, you can filter on the PF rule number.

First find out the rule number of the PF rule you want to filter on by running this command:

$ sudo pfctl -vvsr
(that is two v and not a w)

Then find the rule number of the desired PF rule and add it to your tcpdump command:

$ sudo tcpdump -nettti pflog0 rnr X

X = pfRuleNumber