Tools for tracking what is in each queue?

  • I'm looking for decent tools for tracking connections as they travel through the traffic shaper. Mostly I'm looking to monitor my default queue to watch for traffic that I should be siphoning off into other queues (my room mate might install a new p2p app, for instance). Also it would be useful for making sure that my rules really are grabbing all the traffic they should be.

    If there isn't one specific tool which can perform this feat, what combination would work best?

    I've got bandwidthd installed, which is useful for aggregate totals, but since the p2p and passive ftp traffic on my network is on non-standard ports (and I can't find a way to modify what ports are in which groups for bandwidthd) most everything is classified as 'tcp' traffic, which isn't particularly helpful. The state table can be useful sometimes, but I frequently have 1300-2500 states from the bittorrent downloads that are a near constant reality. I'm hoping there's something out there that is a little more sophisticated than those two options.

  • To check live traffic go to the shell (or even better ssh with a big screen if you have enabled it at system>advanced) and run pftop. It will show you bandwidthusage and states and so on in realtime.

  • I've used that before, but if I have a couple of bittorrent transfers going totaling 2 or 3 megabits (but nicely tucked into the p2p queue), I have a hard time finding the source of the 200 kilobits going out the default queue.

    But yes, that is a useful tool, I was just hoping for something with a bit more granularity. Unless pftop does have the the granularity I'm looking for and I just haven't played with it enough, I'm more familiar with iftop on linux. If pftop has support to use regex to remove certain types of traffic from the displayed connections, then that would be useful.

  • Hi, use command in to shell:
    "tcpdump -e -i pflog0 dst host"

    tcpdump -e -i pflog0 src host

    tcpdump: WARNING: pflog0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
    13:05:02.396415 rule 719.qlandef.50/0(match): pass in on rl1:                                                      > S 1488749629:1488749629(0) win 65535 <mss 1460,nop,nop,sa =""  ="" ckok="">13:05:19.054825 rule 719.qlandef.50/0(match): pass in on rl1: > F 1625822815:1625822815(0) ack 2522178552 win 65192
    13:05:19.107717 rule 719.qlandef.50/0(match): pass in on rl1: > S 3563559450:3563559450(0) win 65535</mss>