description

pf2xml takes the tcpdump output from pflog devices (or logs) and converts it to XML 1.0. useful for data import to a device you can't teach to read pf logs but you can teach XML.

new version 0.22 uses a new XSL file from miohael semcheski. it looks pretty good, and is easily adapted for a variety of layouts. rawk!

usage

process tcpdump with -nettt and either -i for pflog0 or -r for a file:
# tcpdump -nettti pflog0 | pf2xml
or to read a file
# tcpdump -netttr /var/log/pflog | pf2xml

output

sample output of version 0.22 is shown below:
<?xml version="1.0" encoding="ISO-8859-1" ?>
  <?xml-stylesheet type="text/xsl" href="pfxml.xsl" ?>
  <pf source="pf2xml-0.21" >
    <packet>
      <timestamp date="Feb 23" time="15:16:29.745318" />
      <reason rule="rule 5/0(match)" action="block in on wi0" />
      <source ip="10.10.10.14" port="138" />
      <destination ip="10.10.255.255" port="138" />
      <extra information="udp 201      " />
    </packet>
    <packet>
      <timestamp date="Feb 23" time="15:19:45.557186" />
      <reason rule="rule 5/0(match)" action="block in on wi0" />
      <source ip="10.10.10.128" port="50065" />
      <destination ip="239.255.255.253" port="427" />
      <extra information="udp 49      " />
    </packet>
  </pf>

download

current files: pf2xml version 0.22. an awk script which uses the XSL file.
pfxml.xsl, the XSL file used by version 0.22.

future

a C version is forthcoming. should be easy to do and remove the tcpdump dependency.

license

available under a 3 clause BSD license.

acknowldgements

deadly poster for the idea, jobo for xml feedback, chris for xml feedback. miohael semcheski did the XSL file, thank you! comments always welcome, thanks.