pftop

Pftop is a small, curses-based utility for real-time display of active states and rule statistics for pf, the packet filter. for OpenBSD.
Current release pftop-0.7, written and maintained by Can E. Acar.

Screenshots:

80 column: 
pfTop: Up State 1-3/64, View: default, Order: none

PR   DIR SRC                  DEST                 STATE   AGE   EXP  PKTS BYTES
icmp Out 192.168.100.32:361   192.168.100.22:361    0:0      9     1     2    96
icmp Out 192.168.100.32:361   192.168.100.23:361    0:0      9     1     2    96
tcp  In  192.168.100.7:1029   192.168.100.32:443    4:4   4165 86302 25871 9251K

120 column: 
pfTop: Up State 1-3/68, View: default, Order: none

PR   DIR SRC                      DEST                              STATE                AGE       EXP     PKTS    BYTES
tcp  In  192.168.100.1:1029       192.168.100.32:80        ESTABLISHED:ESTABLISHED  01:12:52  23:58:55    25873  9473801
tcp  In  192.168.100.9:38474      192.168.100.32:25        ESTABLISHED:ESTABLISHED  00:02:47  24:00:00      193   140803
tcp  In  192.168.100.12:1031      192.168.100.32:110       ESTABLISHED:ESTABLISHED  06:27:26  23:55:31    37249 15556515

Changes in version 0.7:
This version adds state filtering, which is funded by backcountry.com, many thanks. It is now possible to select which states are displayed using a tcpdump(8) like filtering language. The filter can be specified on the command line, using the '-f' switch. It is also possible to change the filter interactively using the 'f' command key. Some sample, not necessarily practical, filters are given below:

  • Do not show pfsync or carp traffic:
    •   not (pfsync or carp)
  not pfsync and not carp
  • DNS traffic not going to or coming from the DNS servers:
    •   port 53 and not host (10.0.0.10 or 10.0.0.11)
  • States with input bytes greater than 1M:
    •   inb > 1000000
  • Traffic with very small average packet size:
    •   ((inb / inp) + (outb / outp))/2 < 100
  inb / inp + outb / outp < 200

    Changes in version 0.6:
    No functional changes. It now compiles and runs on OpenBSD 4.1-current after pf interface changes. This version also contains separated pf and display code. This should make adding new views easier.

    Changes in version 0.5:
    This version displays all active pf rules by traversing the ruleset tree. In addition HFSC queues are now displayed correctly thanks to Jared Spiegel. This version also incorporates other patches and comments I have received since the previous release. Many thanks to all who have contributed.

  • New command-line switch 'S' to start the display at a given state.
  • Display HFCS statistics in the queue page.
  • Fixed state and rule byte and packet counters
  • Fixed state sorting by packets and bytes
  • Fixed some minor display problems
  • The rule view now traverses all rulesets, and displays all active rules, together with anchor (ruleset) names.
  • Anchor and Label fields dynamically resize themselves


    • Changes in version 0.4:
    This version adds caches states between updates, making it possible to compute per state throughput. The rule and state views are improved. There is a new ALTQ view by Primož Gabrijelčič

  • Better, stable state sorting using mergesort.
  • New command 'p' to pause view updates
  • Add state cache to store a number of states between updates (configurable with -c command line switch, defaults to 10000)
  • Compute and display instantaneous and peak throughput for cached states.
  • New sortable state fields 'peak' and 'rate' and a new 'speed' view for throughput display.
  • New 'queue' view that displays information about ALTQ queues. Contributed by Primož Gabrijelčič, thanks.
  • Improved, more detailed rule view.


    • Changes in version 0.3:
    This version is developed with invaluable help from Camiel Dobbelaar who fixed many documentation, style(9) and interface issues and tested most of the changes and suggested improvements. Many thanks.

  • Fix performance issues with a large number of states.
  • Fix a typo that would cause pftop to crash if rules are added while pftop is running.
  • Display states like in pfctl on wide displays.
  • Display interface and extra rule information in Rule views.
  • Display local time at the upper right corner
  • New -w option to set display width in raw mode.
  • Removed redundant -n option.
  • New key bindings to make the interface more like 'top'.
  • Left/Right cursor keys switch views.
  • CTRL-L refreshes display, SPACE updates immediately.
  • New command 's' to set display update interval
  • New command 'n' to set number of lines in display


    • Changes in version 0.2:
    There are no big changes in version 0.2. Just minor additions/corrections to make porting easier.

  • Fix make install (suggested by Greg Fitzgerald)
  • Move manual page to section 8, minor corrections to the manpage.
  • Use getprotobynumber in state display. bonus: protocol column is now consistently lowercase. (suggested by Camiel Dobbelaar)
  • Steal more code from pfctl to display state column in text for large displays. (suggested by Camiel Dobbelaar & Daniel Hartmeier)
  • Display age and expiry columns in HH:MM:SS format as in pfctl (suggested by Daniel Hartmeier)
  • Left/right cursor keys switch views.
  • Increase viewing area by condensing header lines. (suggested by Camiel Dobbelaar)


    • For more information read the manual page
    download: pftop-0.7.tar.gz


    previous versions:
  • pftop-0.6.tar.gz
  • pftop-0.5.tar.gz
  • pftop-0.4.tar.gz
  • pftop-0.3.tar.gz
  • pftop-0.2.tar.gz
  • pftop-0.1.tar.gz


    • MD5 (pftop-0.7.tar.gz) = 2fdef1e3fffc38ae40f27aa2dfdcf6fc
    MD5 (pftop-0.6.tar.gz) = c84fb960d36e9a9271c211c98efae062
    MD5 (pftop-0.5.tar.gz) = d4bdb5dfa7722f76ed3027c1d0be1653
    MD5 (pftop-0.4.tar.gz) = d33b3a30152bac7d50d019a78bc58c72
    MD5 (pftop-0.3.tar.gz) = 6227be2a51ba79cca1fe9e18fbe495dc
    MD5 (pftop-0.2.tar.gz) = 8c561d8fdd8893d0df535cf970b9850c
    MD5 (pftop.tar.gz) = 643db786c9904fdab0e5a339221e29e1

    for comments and suggestions, please contact canacar (at) openbsd.org