You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: one-to-one
one-to-one Author
User level: Level 1
13 points

packet printing is not supported for link type PFLOG

PF is up and running:



>sudo /sbin/pfctl -s info

No ALTQ support in kernel

ALTQ related functions disabled

Status: Disabled for 1 days 01:03:24 Debug: Urgent



Interface Stats for pflog0 IPv4 IPv6

Bytes In 0 0

Bytes Out 0 0

Packets In

Passed 0 0

Blocked 0 0

Packets Out

Passed 0 0

Blocked 0 0

...



How to monitor its packets, according to the current manual:



> man pflog

[...]

<EXAMPLES

< Create a pflog interface and monitor all packets logged on it:

<

< # ifconfig pflog1 create

< # tcpdump -n -e -ttt -i pflog1



In practice, it does not work:



> sudo ifconfig pflog1 create

> sudo tcpdump -n -e -ttt -i pflog1

tcpdump: packet printing is not supported for link type PFLOG: use -w



I did not have this problem with the previous version.

What is wrong with macOS 10.12.4?

MacBook Pro, macOS Sierra (10.12.4)

Posted on Mar 29, 2017 8:40 AM

Reply
8 replies
User profile for user: ElijahTsai
ElijahTsai
User level: Level 2
160 points

Apr 4, 2017 5:41 AM in response to one-to-one

Hello one-to-one:

I just have same problem as you, but I got a temporary solution try to change tcpdump command to this:

tcpdump -lnetttti pflog0 -w /file/path/to/pflog.pcap

-w /file/path/to/pflog.pcap : meaning tell tcpdump to dump to following file and it is recommended to using (.pcap) to be extension.

by the time you wanna check the log that may let you to look the package by using Wireshark or other application.

Hope this can help you.

All the best & Farewell 🙂

Reply
User profile for user: TheMurusTeam
TheMurusTeam
User level: Level 1
4 points

Apr 10, 2017 8:16 AM in response to one-to-one

As developers of a pf front end app we faced the same problem on macOS 10.12.4 as our apps use tcpdump to read and store pf logs. We believe tcpdump is broken thus we developed 'pfloggerd' a dedicated pf log daemon, to mimic FreeBSD and other operating systems that use pf. The daemon must run as root at boot, it reads from pflog0 interface and stores logs in a human readable format in /var/log/pffirewall.log. Pfloggerd is an open source project available at github.com.

Reply
User profile for user: Pf firwall
Pf firwall
User level: Level 1
4 points

May 3, 2017 8:51 AM in response to one-to-one

https://github.com/the-tcpdump-group/tcpdump/issues/598 :

Yes, PFLOG is broken.

By "PFLOG" I mean "PFLOG", not "the PFLOG printing code in tcpdump"; it doesn't have a standard specification so that you can print any operating system's PFLOG output on any operating system.

So tcpdump's PFLOG-printing code requires that you have the header file for the OS on which you're compiling tcpdump available, so it can print that OS's version of PFLOG output.

Apple doesn't ship that header file, so we don't support printing PFLOG output on macOS; apparently, they don't support it in their tcpdump, either.

Please complain to Apple about this if you want it fixed, as it's their bug.

Reply

packet printing is not supported for link type PFLOG

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up