BPFLOGD(8) System Manager's Manual BPFLOGD(8)

bpflogdBerkeley Packet Filter logging daemon

bpflogd [-dPp] [-F filterfile] [-s snaplen] [-u user] [-w waitms] [-y datalinktype] -f filename -i interface [expression ...]

bpflogd is a daemon which captures packets using bpf(4) and writes the packets to a logfile in tcpdump(8) binary format. These logs can be reviewed later using the -r option of tcpdump(8).

When starting up, bpflogd drops privileges before opening its log file. After receiving a SIGHUP signal it will write any pending packets to the log file, close it, and then open it again, permitting newsyslog(8) to rotate logfiles automatically. If the log file contains data after being opened, the PCAP header is checked before new logs are appended to the existing file.

The options are as follows:

Debugging mode. bpflogd does not daemonise and logs to the terminal.
filename
Log output filename. The file must already exist, and be readable and writable by the _pflogd user.
filterfile
Specify a file containing a filter expression as per pcap-filter(5).
interface
Specifies the interface to capture packets on using bpf(4). This can be specified multiple times to capture packets from multiple interfaces, but all the interfaces must support the same datalink type.
Put the interfaces into promiscuous mode.
Do not put the interfaces into promiscuous mode. This is the default.
snaplen
Capture at most the first snaplen bytes of data from each packet. By default bpflogd captures whole packets.
user
Drop privileges to user. By default bpflogd drops privileges to the _pflogd user.
waitms
Specify the maximum amount of time in milliseconds between when a packet is captured and when it will be written to the log file. The default waitms value is 2000 milliseconds.
datalinktype
Specify the datalink type when capturing packets. If this is not specified then the default datalink type on the first interface is used.
expression
Specify a filter expression for matching packets as per pcap-filter(5).

A filter expression may only be specified by a file with -F or as arguments on the command line; specifying both is unsupported. If a filter is not provided then all packets are captured.

pcap_open_live(3), pcap-filter(5), newsyslog(8), tcpdump(8)

The bpflogd command appeared in OpenBSD 7.8.

May 16, 2025 Debian