pfTop is the first utility covered in this section that is available in both the web GUI (via Diagnostics | pfTop) and from the console/SSH (pfTop is 9 on the console menu). pfTop is extremely useful because it provides a live view of the state table as well as the total amount of bandwidth used by each state. If you are using pfTop from the console, type q to quit and thus return to the console menu.
pfTop contains several column headings, and you could probably guess what most of them stand for; for the sake of clarity, however, we will enumerate each of the default headings here. PR stands for protocol; D stands for direction (this can be in or out); SRC stands for source; and DEST stands for destination. AGE is how long since the entry was generated. EXP is when the entry expires; PKTS is the number of packets that have been handled by the rule; and BYTES is the number of bytes handled by the rule.
STATE deserves a bit of an explanation. This column indicates the state of both sides of the connection, using the format client:server. The states will not fit into an 80-column computer display, so pfTop uses integers (for example, 1:0). This is what the numbers signify:
|
Number |
State |
|
0 |
TCP_CLOSED |
|
1 |
TCP_LISTEN |
|
2 |
TCP_SYN_STATE |
|
3 |
TCP_SYN_RECEIVED |
|
4 |
TCP_ESTABLISHED |
|
5 |
TCP_CLOSE_WAIT |
|
6 |
TCP_FIN_WAIT1 |
|
7 |
TCP_CLOSING |
|
8 |
TCP_LAST_ACK |
|
9 |
TCP_FIN_WAIT2 |
|
10 |
TCP_TIME_WAIT |
As an example, an entry of 4:4 would indicate that the state on either side of the connection is TCP_ESTABLISHED. An entry of 1:3 would indicate that the state on the client side is TCP_LISTEN and the state on the server side is TCP_SYN_RECEIVED.
Although pfTop is quite usable as a command-line utility, if you use pfTop within the web GUI, you can very easily change the output to suit your needs. The View drop-down menu lets you control how pfTop displays its output and provides the following options:
- label: This column represents the rule being invoked
- long: Display protocol, source, destination, gateway, state, and age
- queue: If the traffic shaper is configured, pfTop will display results organized by queue
- rules: Display each rule being invoked in the rightmost column
There is also a Sort by drop-down box. This allows you to sort output in descending order by several categories. There is a Maximum # of States drop-down box. This allows you to set the number of states that appear on each page.
Keep in mind that when you run pfTop from the console, it runs in interactive mode. Thus, pfTop reads commands from the terminal and acts upon them accordingly.