PF tcpdump of pflog0 doesn't show anything useful

[RSimo]

Hi all,

I recently upgraded to 12.3-STABLE and noticed that when I run:

tcpdump -n -e -ttt -i pflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
 00:00:00.000000 rule 33/0(match): block in on em0: IP0
 00:00:02.296453 rule 33/0(match): block in on em0: IP3
 00:00:00.935445 rule 33/0(match): block in on em0: IP6, wrong link-layer encapsulation
 00:00:02.577125 rule 2/0(match): block in on em0: IP14
 00:00:01.555529 rule 33/0(match): block in on em0: IP13
 00:00:00.956334 rule 33/0(match): block in on em0: IP0
 00:00:00.000021 rule 33/0(match): block in on em0: IP0
 00:00:00.000010 rule 33/0(match): block in on em0: IP0
 00:00:00.485857 rule 2/0(match): block in on em0: IP14
 00:00:00.194711 rule 33/0(match): block in on em0: IP2

not getting anything useful, it seems instead of showing IP data I just get IP0, IP1, IP2...

Same setup on 11.4-STABLE works as expected.

Not sure is something is broken with pflog?

Thanks!

 

[DutchDaemon]

Apparently your PF captures interesting traffic: https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers (you can find out details by Googling for "EMCON IP Protocol" or "ARGUS IP Protocol", etc.). Other than that, you don't seem to be logging any TCP (IP6) or UDP (IP17). Of course, it all depends on your log statements in pf.conf.

 

[RSimo]

pf.conf has as the last line (log everything what is blocked, not limited to any IP protocol):

ext_int = "em0"
.
.
(truncated)
.
.
block in log on $ext_int from any to any

On older FreeBSD version I have exactly the same config.

 

[SirDice]

With PF you typically start with blocking everything. If you don't have allow rules using the quick keyword everything is going to be blocked (last matched rule wins).

 

[RSimo]

With PF you typically start with blocking everything. If you don't have allow rules using the quick keyword everything is going to be blocked (last matched rule wins).

Exactly that is the setup, everything before block line is "pass in/out quick". However I don't think it is related to pflog facility issue.

 

[RSimo]

Now I upgraded from 11.4 to the same 12.3 version and getting the same issue. Must be something related to the new 12.3.

uname -a
FreeBSD 12.3-STABLE FreeBSD 12.3-STABLE n234401-66d9cbc5d26 GENERIC  amd64

 

[RSimo]

I think we can close this chapter - since I updated to FreeBSD 12.3-STABLE n235219-74b04867386 GENERIC seems that tcpdump of pflog0 interface and reading /var/log/pflog file shows correct output:

17:52:21.680994 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:53:21.680481 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:54:21.679315 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:55:21.686120 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:56:21.686739 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:57:21.678832 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:58:21.679290 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:59:21.681390 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
17:59:34.272412 IP 192.168.30.148.3306 > 192.168.30.145.50957: Flags [.], ack 44652011, win 509, options [nop,nop,TS val 409042534 ecr 217942435], length 0
18:00:21.679327 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
18:00:52.095591 IP 192.168.30.148.3306 > 192.168.30.145.50957: Flags [.], ack 1, win 509, options [nop,nop,TS val 409120358 ecr 217942435], length 0
18:01:21.680047 IP 192.168.30.1.5678 > 255.255.255.255.5678: UDP, length 113
18:02:09.918730 IP 192.168.30.148.3306 > 192.168.30.145.50957: Flags [.], ack 1, win 509, options [nop,nop,TS val 409198182 ecr 217942435], length 0

Unfortunately I couldn't find patch/update details on git (or I didn't try hard enough).