pfTop

pfTop is available from the GUI and the console menu. It offers live views of the firewall ruleset, state table information, and related statistics.

pfTop in the GUI

The GUI page for pfTop is at Diagnostics > pfTop. The GUI offers several options to control the output:

View

Controls the type of output displayed by pfTop. Not all views will contain meaningful information for every firewall configuration.

Default

Shows a balanced amount of information, based around the source and destination of the traffic.

Label

Centered around firewall rule descriptions.

Long

Similar to the default view, but tailored for wider displays with longer rows for more columns of information. Shows the gateway after the destination.

Queue

Shows the ALTQ traffic shaping queues and their usage.

Rules

Shows firewall rules and their usage.

Size

Shows states that have passed the most data.

Speed

Shows states that have high-rate traffic.

State

Shows status of states.

Time

Shows long-lived states.

Filter Expression

An expression used to match groups of states to include in the output.

The expression can include several different types of filtering, such as:

  • Filter by protocol: proto <ip|ip6|ah|carp|esp|icmp|ipv6-icmp|pfsync|tcp|udp>

  • Filter by address: [src|dst|gw] [host|net|port] <host/network/port>

  • Filter by direction: [in|out]

Sort By

Some views can be sorted. When sorting is possible, the following sort methods are available. When selected, the view is sorted by the chosen column in descending order:

None

No sorting, the natural order shown by the chosen view.

Age

The age of the states.

Bytes

The amount of data sent matching the state.

Destination Address

The destination IP address of the state.

Destination Port

The destination port number of the state.

Expiry

The expiration time of the state. This is the countdown timer until the state will be removed if no more data matches the state.

Peak

The peak rate of traffic matching a state in packets per second.

Packet

The number of packets transferred matching a state.

Rate

The current rate of traffic matching a state in packets per second.

Size

The total amount of traffic that has matched a state.

Source Port

The source port number of the state.

Source Address

The source IP address of the state.

Maximum # of States

On views that support sorting, this option limits the number of state entries shown on the page.

pfTop on the Console

To access pfTop from the console or via ssh use option 9 from the menu or run pftop from a shell prompt.

While viewing pfTop in this way, there are several methods to alter the view while watching its output.

The most common options are:

  • Press h to see a help screen that explains the available choices.

  • Press 0 through 8 to select different views

  • Press space for an immediate update

  • Press q to quit

See the previous section for details on the meaning of the available views and sort orders.

The output is dynamically sized to the terminal width, with wider terminals showing much more information in additional columns.