Use a PF ruleset where you "block log" unwanted traffic (i. e. only allow what you want), and use: tcpdump -nettt -i pflog0 Make sure you have pflog either in the kernel or loaded as a module, and have pflog_enable="YES" in /etc/rc.conf. This way you can see whether you're having a DoS attack or something like that.