Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lots of states and reading pftop

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Harvy66
      last edited by

      I have about 9000 "established" TCP states that look like this from pftop

      pfTop: Up State 1-10937/10937, View: default, Order: bytes
      PR    D SRC                  DEST                STATE  AGE  EXP  PKTS BYTES
      tcp  I 192.168.1.2:38492    84.106.136.112:43945  4:4  18946 67465    9  382
      tcp  O 192.168.1.2:38492    84.106.136.112:43945  4:4  18946 67465    9  382
      tcp  I 192.168.1.2:39470    136.227.175.115:4361  4:4  18898 67512    9  382
      tcp  O 192.168.1.2:39470    136.227.175.115:4361  4:4  18898 67512    9  382
      tcp  I 192.168.1.2:40276    145.120.202.67:50512  4:4  18870 67541    9  382
      tcp  O 192.168.1.2:40276    145.120.202.67:50512  4:4  18870 67541    9  382

      Some times many from the same address

      pfTop: Up State 1-10937/10937, View: default, Order: bytes
      PR    D SRC                  DEST                STATE  AGE  EXP  PKTS BYTES
      tcp  O 192.168.1.2:37692    202.99.241.162:12070  4:4  15447 70960    7  308
      tcp  I 192.168.1.2:38942    202.99.241.162:12070  4:4  15376 71031    7  308
      tcp  O 192.168.1.2:38942    202.99.241.162:12070  4:4  15376 71031    7  308
      tcp  I 192.168.1.2:40213    202.99.241.162:12070  4:4  15305 71102    7  308
      tcp  O 192.168.1.2:40213    202.99.241.162:12070  4:4  15305 71102    7  308
      tcp  I 192.168.1.2:41507    202.99.241.162:12070  4:4  15234 71173    7  308

      If I'm reading pftop correctly, many of these connections are 4 hours (15k+ seconds) old and are scheduled to expire more than a day(71k+ seconds) from now. I all ready know the offending program, Deluge. The DHT(distributed hash table) likes to make a lot of connections.

      The UDP states are fine, but it seems a few offending external IP addresses have about 400+ TCP states each. So while PFSense shows about 8000 TCP connections, TCPView shows about 100.

      It is curious to know how TCP can remain "established" when fewer than 400 bytes are sent via 7-8 packets over a time span of 4+ hours. Shouldn't those TCP connections have timed out by now?

      edit:
      I guess my questions are
      Is this normal for PFSense?
      If not, I assume I did something wrong, where should I look?
      If it is, is there a way to force the expiration of an idle(no packets being ack'd) TCP connection after some amount of time? To me, lots of pointless(from my non-experienced perspective) connections just create noise.

      Thanks!

      I'm having so much fun with PFSense!

      P.S. tried stopping the iperf "service" and it decided to use 100% cpu for a good 3 minutes before I finally shelled in and killed the pid.

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        I may have found what I was looking for

        http://lists.pfsense.org/pipermail/list/2012-April/001952.html

        Looks like an established TCP connection ha a VERY long time out. So my question is what benefit does this give me? Assuming my router can handle it, how can I use this to better manage/troubleshoot/diagnose/etc? I assume there is a reason for such long time outs. I think I read before that idle connections will get evicted if the state table starts getting full, so these states shouldn't hurt anything.

        Thanks!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.