Change in pftop paramaters



  • I have a small monitor connected to my pfSense box and leave pftop running 24/7 so I can keep a casual eye on connections. I see it as I walk past probably 100 times a day. I leave an instance of pftop running on my FreeBSD laptop too so I'm used to looking at the output from that service.

    Tonight, a couple hours ago, in addition to the regular output parameters:

    pfTop: Up State 1-12/12, View: default, Order: bytes
    PR    D SRC                   DEST                 STATE   AGE   EXP  PKTS BYTES
    
    

    A GW section showing activity for the Gateway IP# on my router appeared in the output between the DEST and STATE sections. I checked out the pftop output from the web GUI and strangely enough it hadn't changed to show the GW output the monitor was showing. So I'm looking at the pftop output from my pfSense box on my laptop and console monitor at the same time and seeing 2 different output parameters from the same service on the same box.

    I've been running it like this the better part of a year and am just curious as to why it would change all of a sudden without any reason to do so. I had to reboot 2 days ago due to unrelated problems with my internet connection but hadn't changed anything or logged onto it since then. I originally thought it might have updated itself from pfSense 2.0.1 but that wasn't the case. I checked my logs and other than a couple blocked instances of somebody trying to connect to my gateway IP# from their port 21 a couple days ago nothing seems out of the ordinary. Any idea what's going on with it?

    TIA



  • I stopped the pftop service from the console and when I restarted it everything was back to normal, meaning it was no longer showing the GW parameter, so I don't know what was going on with it. I've never seen it do that before or had any similar behavior out of it.

    I just rebuilt the installation a little over a week ago so it's a fresh build.  I ran a full scan of all TCP and UDP ports on it earlier today from a machine on the LAN and everything was as it should be.


  • Rebel Alliance Developer Netgate

    Some keys in pftop will toggle between different views.

    Press "?" for a list of keys/commands while viewing pfTop.

    From your description it sounds like someone pressed 'v' on the keyboard.


  • Netgate Administrator

    Awesomely simple explanation.  ;D
    Looks like view '1'. Coincidentally very close to 'q'?  ;)

    Learned some things about pftop, thanks.

    Steve



  • That for the answer, I wasn't aware of the options you could use with it. Pressing 1 makes it show the same output with the GW field I was seeing.

    As for someone pressing it on the keyboard, I'm the only one here and had been nowhere near the keyboard for a couple days prior to when I noticed it. I'm so used to seeing it I'm sure I would have noticed it before then if that's how it had been since I originally brought up the screen. That's obviously what caused it though.

    Thanks again.


Locked