pf2xml takes the tcpdump output from pflog devices (or logs) and converts it to XML 1.0. useful for data import to a device you can't teach to read pf logs but you can teach XML.

new version 0.22 uses a new XSL file from miohael semcheski. it looks pretty good, and is easily adapted for a variety of layouts. rawk!


process tcpdump with -nettt and either -i for pflog0 or -r for a file:
# tcpdump -nettti pflog0 | pf2xml
or to read a file
# tcpdump -netttr /var/log/pflog | pf2xml


sample output of version 0.22 is shown below:
<?xml version="1.0" encoding="ISO-8859-1" ?>
  <?xml-stylesheet type="text/xsl" href="pfxml.xsl" ?>
  <pf source="pf2xml-0.21" >
      <timestamp date="Feb 23" time="15:16:29.745318" />
      <reason rule="rule 5/0(match)" action="block in on wi0" />
      <source ip="" port="138" />
      <destination ip="" port="138" />
      <extra information="udp 201      " />
      <timestamp date="Feb 23" time="15:19:45.557186" />
      <reason rule="rule 5/0(match)" action="block in on wi0" />
      <source ip="" port="50065" />
      <destination ip="" port="427" />
      <extra information="udp 49      " />


current files: pf2xml version 0.22. an awk script which uses the XSL file.
pfxml.xsl, the XSL file used by version 0.22.


a C version is forthcoming. should be easy to do and remove the tcpdump dependency.


available under a 3 clause BSD license.


deadly poster for the idea, jobo for xml feedback, chris for xml feedback. miohael semcheski did the XSL file, thank you! comments always welcome, thanks.