pflogd is a background daemon which reads packets logged by pf(4) to the packet logging interface pflog0 and writes the packets to a logfile (normally /var/log/pflog) in tcpdump(1) binary format. These logs can be reviewed later using the -r option of tcpdump(1), hopefully offline in case there are bugs in the packet parsing code of tcpdump(1).
pflogd closes and then re-opens the log file when it receives SIGHUP, permitting newsyslog(8) to rotate logfiles automatically. SIGALRM causes pflogd to flush the current logfile buffers to the disk, thus making the most recent logs available. The buffers are also flushed every delay seconds.
If the log file contains data after a restart or a SIGHUP, new logs are appended to the existing file. If the existing log file was created with a different snaplen, pflogd temporarily uses the old snaplen to keep the log file consistent.
pflogd tries to preserve the integrity of the log file against I/O errors. Furthermore, integrity of an existing log file is verified before appending. If there is an invalid log file or an I/O error, logging is suspended until a SIGHUP or a SIGALRM is received.
The options are as follows: