Viewing States with pfTop¶

pfTop is available from the GUI and the system console menu, and offers live views of the firewall ruleset, state table information, and related statistics.

pfTop in the GUI¶

In the GUI, pfTop can be found at Diagnostics > pfTop. The GUI offers several options to control the output:

View

Controls the type of output displayed by pfTop. Not all views will contain meaningful information for every firewall configuration.

Default: Shows a balanced amount of information, based around the source and destination of the traffic.
Label: Centered around firewall rule descriptions.
Long: Similar to the default view, but tailored for wider displays with longer rows for more columns of information. Shows the gateway after the destination.
Queue: Shows the ALTQ traffic shaping queues and their usage.
Rules: Shows firewall rules and their usage.
Size: Shows states that have passed the most data.
Speed: Shows states that have high-rate traffic.
State: Shows status of states.
Time: Shows long-lived states.

Sort By

Some views can be sorted. When sorting is possible, the following sort methods are available. When selected, the view is sorted by the chosen column in descending order:

None: No sorting, the natural order shown by the chosen view.
Age: The age of the states.
Bytes: The amount of data sent matching states.
Destination Address: The destination IP address of the state.
Destination Port: The destination port number of the state.
Expiry: The expiration time of the state. This is the countdown timer until the state will be removed if no more data matches the state.
Peak: The peak rate of traffic matching a state in packets per second.
Packet: The number of packets transferred matching a state.
Rate: The current rate of traffic matching a state in packets per second.
Size: The total amount of traffic that has matched a state.
Source Port: The source port number of the state.
Source Address: The source IP address of the state.

Maximum # of States

On views that support sorting, this option limits the number of state entries shown on the page.

pfTop on the Console¶

To access pfTop from the console or via ssh, use option 9 from the menu or run pftop from a shell prompt.

While viewing pfTop in this way, there are several methods to alter the view while watching its output. Press h to see a help screen that explains the available choices. The most common uses are using 0 through 8 to select different views, space for an immediate update, and q to quit. See the previous section for details on the meaning of the available views and sort orders.

The output is dynamically sized to the terminal width, with wider terminals showing much more information in additional columns.