pfTop

pfTop is available from the GUI and the console menu. It offers live views of the firewall ruleset, state table information, and related statistics.

pfTop in the GUI

The GUI page for pfTop is at Diagnostics > pfTop. The GUI offers several options to control the output:

View:

Controls the type of output displayed by pfTop. Not all views will contain meaningful information for every firewall configuration.

Default:

Shows a balanced amount of information, based around the source and destination of the traffic.

Label:

Centered around firewall rule descriptions.

Long:

Similar to the default view, but tailored for wider displays with longer rows for more columns of information. Shows the gateway after the destination.

Queue:

Shows the ALTQ traffic shaping queues and their usage.

Rules:

Shows firewall rules and their usage.

Size:

Shows states that have passed the most data.

Speed:

Shows states that have high-rate traffic.

State:

Shows status of states.

Time:

Shows long-lived states.

Filter Expression:

An expression used to match groups of states to include in the output.

The expression can include several different types of filtering, such as:

  • Filter by protocol: proto <ip|ip6|ah|carp|esp|icmp|ipv6-icmp|pfsync|tcp|udp>

  • Filter by address: [src|dst|gw] [host|net|port] <host/network/port>

  • Filter by direction: [in|out]

Sort By:

Some views can be sorted. When sorting is possible, the following sort methods are available. When selected, the view is sorted by the chosen column in descending order:

None:

No sorting, the natural order shown by the chosen view.

Age:

The age of the states.

Bytes:

The amount of data sent matching the state.

Destination Address:

The destination IP address of the state.

Destination Port:

The destination port number of the state.

Expiry:

The expiration time of the state. This is the countdown timer until the state will be removed if no more data matches the state.

Peak:

The peak rate of traffic matching a state in packets per second.

Packet:

The number of packets transferred matching a state.

Rate:

The current rate of traffic matching a state in packets per second.

Size:

The total amount of traffic that has matched a state.

Source Port:

The source port number of the state.

Source Address:

The source IP address of the state.

Maximum # of States:

On views that support sorting, this option limits the number of state entries shown on the page.

pfTop on the Console

To access pfTop from the console or via ssh use option 9 from the menu or run pftop from a shell prompt.

While viewing pfTop in this way, there are several methods to alter the view while watching its output.

The most common options are:

  • Press h to see a help screen that explains the available choices.

  • Press 0 through 8 to select different views

  • Press space for an immediate update

  • Press q to quit

See the previous section for details on the meaning of the available views and sort orders.

The output is dynamically sized to the terminal width, with wider terminals showing much more information in additional columns.