Sometimes you really need to know what computers on your network were doing yesterday at noon, because you get a nastygram from the MPAA about bittorrent demanding that you do something — but bittorrent is notoriously hard to block.
You can try installing BandwidthD on your Pfsense router, to see who’s using a bunch of bandwidth at that time, and you can look back through DHCP or WiFi logs to see who was connected at the time, but the complaint letter tells you the exact time and port number used. Wouldn’t it be cool if you could log that?
Here’s what I came up with. Download the Cron package for Pfsense, and add a new Cron job:
Minute: 1
Hour/etc: *
Who: root
Command: pfctl -ss | egrep '(>.*>|<.*<)' | logger
The firewall states (who is connected to what) will now dump to your system log every hour — kinda noisy, but also kinda effective for tracking long downloads on random ports.
Will Bradley 
Hello Will, thanks for your suggestion about NAT logging. As you said above crontab will log system states once in every hour. But will it be possible to have everything logged? Or all states are maintained for 1 hour? question is whether it will miss some of the states and only get random every 1 hour?
Pankaj, you’re correct, only doing it hourly is likely to miss some things. For my purposes, I’m only interested in long-term connections (like Bittorrent downloads) and so it’s good enough for me. But logging on a more-frequent basis would be recommended if you wanted to never miss anything. It’d just generate LOTS of data.
Hello Will, thanks for the article. What if I wanted to log it to a different file? Say nat.log… How should the command be?
Lucas, instead of
| logger
you would type:
>> nat.log
to append the text output to a file. Look up Linux Pipes, aka I/O Redirection, for details.
Ok, thanks a lot!
There is one fundamental flaw with this approach. The MPAA never sends an accurate date/time of connections they used to determine a violation. So lining up their claim to any PfSense collected logs will be an exercise in futility. Until MPAA & company provides a utility to search networks, for illegal content, this issue will continue unresolved.
Interesting. You are correct, of course, although last time I received a complaint the timestamp was accurate enough for me to determine the cause. On noisier networks or for smaller files it will definitely be more of a challenge.
So where does the log file get stored and what is it’s filename? I’d like to see the contents of the output.
Will, I tried your cron & it doesn’t produce an output. What path/file is supposed to be created? Mark
There’s no file created, the
| loggerat the end invokes the system logger. So you should look at the Pfsense system log page, and configure the logging settings to your liking. If the Pfsense syslog doesn’t work for you for some reason, you can always replace the| loggerwith something else (like>> filenameas in the previous comments, or nothing to just see the output on your screen.)To break out the command:
pfctl -ssshows all firewall states (current traffic passing thru the firewall)egrep '(>.*>|<.*<)'filters that list to relevant rows only| loggeroutputs that list to syslog (which is useful to me since I have remote syslog configured to papertrail, for improved archiving and search.)Hmmm, logger doesn’t put anything in the system log. Not that I would want this much info clobbering the system log anyways. So I entered in the command console pfctl -ss | egrep ‘(>.*>|<.*/var/statesgrep.txt and no file is created. Tried truncating to pfctl -ss >/var/states.txt and get a file output with no date/time stamps.
I’m not sure if the comment editor is mangling your comment or what, but the command I’m seeing in your comment is not going to work very well.
I’m seeing you wrote: pfctl -ss | egrep ‘(>.*>|.*>|<.*> /var/statesgrep.txt
The proper command would be: pfctl -ss | egrep ‘(>.*>|<.*<)‘ >> /var/statesgrep.txt
As for date/time stamps, I think I was relying on the system logger to provide that. It’s not a very elegant solution, but it was enough for me at the time.
If you need a “business-grade” solution, check out Netflow: https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage#Netflow