Hi,

Hopefully someone can answer this in 2 seconds!!!

According to the PF manual page:

The options that can be given to the log keyword are

user
Causes the UNIX user-id and group-id that owns the socket that the packet is sourced from/destined to (whichever socket is local) to be logged along with the standard log information.

However I have been unable to find/view the UserID information?

For instance, I have experimented with pf rule:

block out log (user) quick on $ext_if inet from any to <rfc1918_ip>

Using tcpdump -n -e -ttt -r /var/log/pflog I get:

Jan 16 16:33:39.857471 rule 6/(match) block out on xl0: 192.168.196.251 > 192.168.196.249: icmp: echo request
Jan 16 16:33:40.860139 rule 6/(match) block out on xl0: 192.168.196.251 > 192.168.196.249: icmp: echo request
Jan 16 16:33:41.870092 rule 6/(match) block out on xl0: 192.168.196.251 > 192.168.196.249: icmp: echo request

I've read man page for tcpdump and pf but to no avail? Can anyone help me please?:redface:

Thanks.

PS
In case you are wondering, I have a shared internet connection, and I would like to have at least some form of audit trail, UserID - IP address visited (all users will be informed). Also not being used to collect user data (snaplen kept short etc). Maybe someone else has had this problem, I would be grateful to hear your solutions

Just set this up on my home net. You need to view the pflog with tcpdumps -v flag to see user info

tcpdump -netttvr /var/log/pflog

then you will see logs liked the following:

Jan 16 13:18:41.092147 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 1000, pid 13227] 68.85.141.224.30646 > 68.87.77.130.53: [udp sum ok] 42385+ A? yahoo.com. (27) (ttl 64, id 53001, len 55)
Jan 16 13:18:41.105651 rule 12/(match) [uid 0, pid 8349] pass out on fxp0: 68.85.141.224 > 66.94.234.13: icmp: echo request (id:ab33 seq:0) (ttl 255, id 55274, len 84)
Jan 16 13:18:48.545075 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 83, pid 22388] 68.85.141.224.32775 > 217.91.44.17.123: [udp sum ok] v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -988384143.324035793 [tos 0x10] (ttl 64, id 58673, len 76)
Jan 16 13:18:50.675065 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 83, pid 22388] 68.85.141.224.2956 > 202.125.40.143.123: [udp sum ok] v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt +1113055184.435199409 [tos 0x10] (ttl 64, id 51637, len 76)
Jan 16 13:19:20.005521 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 1000, pid 20766] 68.85.141.224.31368 > 68.87.77.130.53: [udp sum ok] 47124+ A? yahoo.com. (27) (ttl 64, id 37189, len 55)
Jan 16 13:19:20.021022 rule 12/(match) [uid 0, pid 8349] pass out on fxp0: 68.85.141.224 > 66.94.234.13: icmp: echo request (id:1e51 seq:0) (ttl 255, id 36265, len 84)
Jan 16 13:19:26.417889 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 1000, pid 31558] 68.85.141.224.21814 > 68.87.77.130.53: [udp sum ok] 50935+ AAAA? yahoo.com. (27) (ttl 64, id 50534, len 55)
Jan 16 13:19:26.429396 rule 11/(match) [uid 0, pid 8349] pass out on fxp0: [uid 1000, pid 31558] 68.85.141.224.11521 > 68.87.77.130.53: [udp sum ok] 33924+ A? yahoo.com. (27) (ttl 64, id 63603, len 55)
Jan 16 13:19:26.442012 rule 10/(match) [uid 0, pid 8349] pass out on fxp0: [uid 1000, pid 31558] 68.85.141.224.10445 > 216.109.112.135.23: S [tcp sum ok] 3244911016:3244911016(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1687614650 0> (DF) [tos 0x10] (ttl 64, id 46935, len 64)

Thank-you.

I've got to laugh, I didn't try -v because of the security warning! Again, many thanks.

There is a small chance of that happening, but the odds are definately stacked against it =)