pfTop is available in both the web GUI (via Diagnostics | pfTop) and from the console/SSH (where pfTop is 9 on the console menu). pfTop is extremely useful because it provides a live view of the state table, as well as the total amount of bandwidth utilized by each state.
pfTop contains several column headings; here, we will enumerate each of the default headings. PR stands for protocol; D stands for direction (this can be in or out); SRC stands for source; and DEST stands for destination. AGE is how long since the entry was generated. EXP is when the entry expires; PKTS is the number of packets that have been handled by the rule; and BYTES is the number of bytes handled by the rule.
The STATE column provides a little less clarity. This column indicates the state of both sides of the connection, using the format client:server. The states will not fit into an 80-column computer display, so pfTop uses integers (for example, 1:0). This is what the numbers in the following table signify:
Number |
State |
0 |
TCP_CLOSED |
1 |
TCP LISTEN |
2 |
TCP_SYN_STATE |
3 |
TCP_SYN_RECEIVED
|
4 |
4 TCP_ESTABLISHED
|
5 |
TCP_CLOSE_WAIT
|
6 |
TCP_FIN_WAIT1
|
7 |
TCP_CLOSING |
8 |
TCP_LAST_ACK
|
9 |
TCP_FIN_WAIT2 |
10 |
TCP_TIME_WAIT
|
As an example, an entry of 4:4 would indicate the state on either side of the connection is TCP_ESTABLISHED. An entry of 1:3 would indicate the state on the client side is TCP_LISTEN and the state on the server side is TCP_SYN_RECEIVED.
This recipe describes how to use pfTop in pfSense.