Find Host With Most Active States
-
Last night I got some alarms from our NMS that a few devices were unreachable - actually, they were down and up a number of times within a few minute span. After some initial checks I logged in to our edge pfSense 2.0 Release box and saw the number of active states was quite high. The hardware reports the max state table size (with the custom size field left blank) is 323000 - for a while last night I was seeing that plus a little more (ie. 334122). I did some browsing through some of the states (obviously couldn't display all of them) to see if I could find a pattern of what internal host was making a larger than normal number of connections but couldn't make sense of it. I increase the max states to 400000 and they were all used up just as quickly.
So, in a circumstance such as this, is there a way to view the top hosts based on active states through the firewall? Even CLI would be fine to track this down. This device hosts approx. 600 hosts behind it. Again, it is running 2.0 Release, running CARP with a backup unit that was also seeing the high number of states.
Any help is appreciated. Thanks in advance.
Aaron
-
Hmm. The help document for the Diagnostics: State Table Summary page says you can order by different criteria, however this reordering functionality appears to be absent from 2.0-RELEASE.
-
Install tcptrack freebsd package at console.
-
Happened again last night. I will try this today. Thank you.
-
I had thought I made that sortable, guess not.
