NetBSD/usr.sbin/npf/npfd/npfd.8

.\"	$NetBSD: npfd.8,v 1.7 2020/10/30 09:23:36 abs Exp $
.\"	$OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $
.\"
.\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
.Dd August 7, 2018
.Dt NPFD 8
.Os
.Sh NAME
.Nm npfd
.Nd packet filter logging and state synchronization daemon
.Sh SYNOPSIS
.Nm npfd
.Op Fl D
.Op Fl d Ar delay
.Op Fl f Ar filename
.Op Fl i Ar interface
.Op Fl p Ar pidfile
.Op Fl s Ar snaplen
.Op Ar expression
.Sh DESCRIPTION
.Nm
is a background daemon which writes to a file in
.Xr pcap 3
format logged packets read from an npflog interface.
The npflog interface is used by
.Xr npf 7
to log packets as defined in
.Xr npf.conf 5 .
The generated
.Xr pcap 3
files can then be analysed using tools such as
.Xr tcpdump 8 .
.Pp
.Nm
closes and then re-opens the log file when it receives
.Dv SIGHUP ,
permitting
.Xr newsyslog 8
to rotate logfiles automatically.
.Dv SIGALRM
causes
.Nm
to flush the current logfile buffers to the disk, thus making the most
recent logs available.
The buffers are also flushed every
.Ar delay
seconds.
.Pp
If the log file contains data after a restart or a
.Dv SIGHUP ,
new logs are appended to the existing file.
If the existing log file was created with a different snaplen,
.Nm
temporarily uses the old snaplen to keep the log file consistent.
.Pp
.Nm
tries to preserve the integrity of the log file against I/O errors.
Furthermore, integrity of an existing log file is verified before
appending.
If there is an invalid log file or an I/O error, the log file is moved
out of the way and a new one is created.
If a new file cannot be created, logging is suspended until a
.Dv SIGHUP
or a
.Dv SIGALRM
is received.
.Pp
If
.Dv SIGINFO
is received, then
.Nm
logs capture statistics to
.Xr syslogd 8 .
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl D
Debugging mode.
.Nm
does not disassociate from the controlling terminal.
.It Fl d Ar delay
Time in seconds to delay between automatic flushes of the file.
This may be specified with a value between 5 and 3600 seconds.
If not specified, the default is 60 seconds.
.It Fl f Ar filename
Log output filename.
Default is
.Pa /var/log/npflog0.pcap .
.It Fl i Ar interface
Specifies the
npflog
.\" .Xr if_npflog 4
interface to use.
By default,
.Nm
will use
.Ar npflog0 .
.It Fl p Ar pidfile
Writes a file containing the process ID of the program.
The file name has the form
.Pa /var/run/npfd.pid .
If the option is not given,
.Ar pidfile
defaults to
.Pa npfd .
.It Fl s Ar snaplen
Analyze at most the first
.Ar snaplen
bytes of data from each packet rather than the default of 116.
The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may
truncate protocol information for other protocols.
Other file parsers may desire a higher snaplen.
.\" .It Fl x
.\" Check the integrity of an existing log file, and return.
.It Ar expression
Selects which packets will be dumped, using the regular language of
.Xr tcpdump 8 .
.El
.Sh FILES
.Bl -tag -width /var/run/npflog0.pcap -compact
.It Pa /var/run/npfd.pid
Process ID of the currently running
.Nm .
.It Pa /var/log/npflog0.pcap
Default log file.
.El
.Sh EXAMPLES
Log specific tcp packets to a different log file with a large snaplen
(useful with a log-all rule to dump complete sessions):
.Bd -literal -offset indent
# npfd -s 1600 -f suspicious.log port 80 and host evilhost
.Ed
.Pp
Log from another
npflog
interface, excluding specific packets:
.Bd -literal -offset indent
# npfd -i npflog3 -f network3.log "not (tcp and port 23)"
.Ed
.Pp
Display binary logs:
.Bd -literal -offset indent
# tcpdump -n -e -ttt -r /var/log/npflog0.pcap
.Ed
.Pp
Display the logs in real time (this does not interfere with the
operation of
.Nm ) :
.Bd -literal -offset indent
# tcpdump -n -e -ttt -i npflog0
.Ed
.Pp
Tcpdump has been extended to be able to filter on the
.Ox
pfloghdr
structure defined in
.Ar sys/net/npf/if_npflog.h .
Tcpdump can restrict the output
to packets logged on a specified interface, a rule number, a reason,
a direction, an IP family or an action.
.Pp
.Bl -tag -width "ruleset rules " -compact
.It ip
Address family equals IPv4.
.It ip6
Address family equals IPv6.
.It ifname kue0
Interface name equals "kue0".
.It on kue0
Interface name equals "kue0".
.It ruleset rules
Ruleset name equals "rules".
.It rulenum 10
Rule number equals 10.
.It reason match
Reason equals match.
.\" Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
.\" "normalize", "memory", "congestion", "ip-option", "proto-cksum",
.\" "state-mismatch", "state-insert", "state-limit", "src-limit",
.\" and "synproxy".
.It action pass
Action equals pass.
Also accepts "block".
.It inbound
The direction was inbound.
.It outbound
The direction was outbound.
.El
.Pp
Display the logs in real time of inbound packets that were blocked on
the wi0 interface:
.Bd -literal -offset indent
# tcpdump -n -e -ttt -i npflog0 inbound and action block and on wi0
.Ed
.Pp
Each
.Xr npf 7
rule is marked with an id number, shown using:
.Bd -literal -offset indent
# npfctl show
\&...
        block final all apply "log" # id="45"
\&...
.Ed
.Pp
This id is the rule id shown by tcpdump:
.Bd -literal -offset indent
# tcpdump -enr /var/log/npflog0.pcap
\&...
11:26:02.288199 rule 45.rules.0/0(match): block in on sk0: \e
1.2.3.4.46063 > 5.6.7.8.23231: Flags [S], seq 1, win 8192, \e
options [mss 1440], length 0
\&...
.Ed
.Sh SEE ALSO
.Xr pcap 3 ,
.Xr npf.conf 5 ,
.Xr npf 7 ,
.Xr newsyslog 8 ,
.Xr npfctl 8 ,
.Xr tcpdump 8
.Sh HISTORY
The
.Nm
command appeared in
.Nx 8.0 .
.Sh AUTHORS
This manual page was written by
.An Can Erkin Acar Aq Mt canacar@openbsd.org .
.Sh CAVEATS
Offline analysis of captured data is advised to alleviate issues with
malicious data intended to exploit bugs in the packet parsing code of
.Xr tcpdump 8 .