pfTop is available in both the web GUI (by navigating to Diagnostics | pfTop), and at the console (it is 9 on the console menu). pfTop provides a live view of the state table and the total amount of bandwidth utilized by each state. If you are using pfTop from the console, type q to quit; this will return you to the console menu.
Most of the column headings in pfTop are self-explanatory. For example, the default view provides the following column headings: PR, D, SRC, DEST, STATE, AGE, EXP, PKTS, and BYTES.
PR stands for protocol; D stands for direction (in or out); SRC and DEST stand for source and destination, respectively; AGE indicates how long it has been since the entry was created; EXP indicates when the entry expires; PKTS indicates the number of packets that have been handled by the rule; and BYTES indicates the number of bytes.
STATE indicates the state of the connection in the format client:server. Since the states will not fit into an 80-column table, pfTop uses integers, such as 1:0. The numbers signify the following:
|
Number |
State |
|
0 |
TCP_CLOSED |
|
1 |
TCP_LISTEN |
|
2 |
TCP_SYN_SENT |
|
3 |
TCP_SYN_RECEIVED |
|
4 |
TCP_ESTABLISHED |
|
5 |
TCP_CLOSE_WAIT |
|
6 |
TCP_FIN_WAIT_1 |
|
7 |
TCP_CLOSING |
|
8 |
TCP_LAST_ACK |
|
9 |
TCP_FIN_WAIT_2 |
|
10 |
TCP_TIME_WAIT |
Thus, an entry of 1:0 indicates that the state on the client side is TCP_LISTEN, and the state on the server side is TCP_CLOSED.
One of the advantages of using pfSense within the web GUI is that it is very easy to change the output to suit your needs. The View drop-down menu allows you to choose how pfTop displays its output. There are several options, including:
- label: The LABEL column represents the rule that is being invoked, and how many packets, bytes, and states are accounted for by the rule
- long: Displays the protocol, source, destination, gateway, state, and age of each entry
- queue: If the traffic shaper is configured, it will display results organized by queue
- rules: This option will display each rule being invoked in the rightmost column, and the number of states associated with each rule
There is also a Sort by drop-down box, which allows you to sort output in descending order by several categories (for example, Bytes, Age, Destination Address, Source Address, and others). The Maximum # of States drop-down box allows you to control the number of states that appear on the page.
If you run pfTop from the console, it will be running in interactive mode, which means that pfTop will read commands from the terminal and act upon them accordingly; characters will be processed as soon as they are typed, and the display will be updated immediately after the characters are processed.