Matching Log Data To Your Rule Set

pflog log data include rule number matched in the loaded rule set

$ sudo tcpdump -nettti pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Feb 09 21:56:32.101323 rule 0/(match) match in on xl0: 46.137.7.164.25006 > 213.187.179.198.53: 56777% [1au][|domain]
Feb 09 21:56:32.101376 rule 227/(match) pass in on xl0: 46.137.7.164.25006 > 213.187.179.198.53: 56777% [1au][|domain]
Feb 09 21:56:32.132560 rule 0/(match) match in on xl0: 46.137.7.164.42543 > 213.187.179.198.53: 23527% [1au][|domain]
Feb 09 21:56:32.132591 rule 227/(match) pass in on xl0: 46.137.7.164.42543 > 213.187.179.198.53: 23527% [1au][|domain]
Feb 09 21:56:32.432639 rule 0/(match) match in on ral0: 10.168.103.15.44519 > 199.59.148.30.80: S 4250570822:4250570822(0) 
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1978946988[|tcp]> (DF)
Feb 09 21:56:32.432705 rule 114/(match) pass in on ral0: 10.168.103.15.44519 > 199.59.148.30.80: S 4250570822:4250570822(0)
 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1978946988[|tcp]> (DF)
Feb 09 21:56:32.432734 rule 3/(match) match out on xl0: 213.187.179.198.44519 > 199.59.148.30.80: S 4250570822:4250570822(0) 
win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1978946988[|tcp]>
Feb 09 21:56:32.432744 rule 5/(match) match out on xl0: 213.187.179.198.44519 > 199.59.148.30.80: S 4250570822:4250570822(0) 
win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1978946988[|tcp]>
Feb 09 21:56:32.432768 rule 114/(match) pass out on xl0: 213.187.179.198.44519 > 199.59.148.30.80: S 4250570822:4250570822(0) 
win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1978946988[|tcp]>

match to pfctl -vvsr output