Logging

through bpf, virtual network interface pflog0
link layer header used for pf related information (rule, action)
pflogd appends to pcap file /var/log/pflog
binary pcap files, readable with tcpdump and other tools
conversion to plain text, syslog
filtering expressions