Solved No timestamp in pf

Hi guys,
We have an issue where our office ip get block after been on our website (10 machine, 1 IP, 6 Websites)
I ran sudo tcpdump -netttr /var/log/pflog | grep 80.252.64.xxx and got
Code:
00:00:00.041037 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50671 > 10.8.20.13.443: Flags , seq 3651535672, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.210234 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50672 > 10.8.20.13.443: Flags , seq 1725074160, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.001641 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50673 > 10.8.20.13.443: Flags , seq 2975226484, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.004767 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50674 > 10.8.20.13.443: Flags , seq 2032562428, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.001632 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50675 > 10.8.20.13.443: Flags , seq 1516649337, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000958 rule 22..16777216/0(match): pass in on bce0: 80.252.64.xxx.50676 > 10.8.20.13.443: Flags , seq 1014007733, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
Could anyone tell me what do I need to add tp pf to get the timestamp showing?
 
sudo tcpdump -nettttr /var/log/pflog | grep 80.252.64.xxx
Did the trick, thank you:)
Code:
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
2016-07-06 21:12:48.445183 rule 31..16777216/0(match): pass in on bce0: 80.252.64.xxx.56003 > 91.203.72.xxx.993: Flags , seq 201623975, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
2016-07-06 21:12:48.888240 rule 31..16777216/0(match): pass in on bce0: 80.252.64.xxx.56004 > 91.203.72.xxx.993: Flags , seq 1542997968, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
2016-07-06 21:43:01.901441 rule 31..16777216/0(match): pass in on bce0: 80.252.64.xxx.56020 > 91.203.72.xxx.993: Flags , seq 1005823973, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
2016-07-06 21:43:03.504556 rule 31..16777216/0(match): pass in on bce0: 80.252.64.xxx.56021 > 91.203.72.xxx.993: Flags , seq 1842455184, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
kpa, could you please tell me if there is a way in pf to know which rule was trigged that generate the ip to be block?
I could then go an adjust that setting
 
The rule numbers are in the fourth column (after the "rule") in the output that you now have. You can match them to your currently used rules if you output them with pfctl -sr -vg, the output is unfortunately on multiple lines for each rule so they are not the most readable but you'll get used to it.
 
kpa,
Here is the output from earlier on today
Code:
00:00:00.252086 rule 6..16777216/0(match): block in on bce0: 80.252.64.xxx.64773 > 10.8.20.xx.80: Flags , seq 1032521214, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.006879 rule 11..16777216/0(match): block in on bce0: 80.252.64.xxx.62091 > 91.203.72.xxx.995: Flags , seq 1239798763, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
pfctl -sr -vg show
Code:
@6 block drop in log quick on bce0 proto tcp from <BLOCKTEMP:0> to any port != ssh
  [ Skip steps: i=10 d=10 f=12 p=10 sp=end da=21 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 17865     Packets: 0         Bytes: 0           States: 0     ]
@11 block drop in log on bce0 all
  [ Skip steps: d=20 p=21 sp=end da=21 dp=21 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 26393     Packets: 3721      Bytes: 237363      States: 0     ]
So in rule 6, I understand that because the ip was in the table <BLOCKTEMP>, the rule apply..but how do you know how it ended up in the banned table?
10.8.20.xx is reverse web proxy server
91.203.72.xxx is mail server
Sorry I know I'm going off topic now... Don't worry if you can' help further
 
Back
Top