Lots of states and reading pftop

Harvy66

I have about 9000 "established" TCP states that look like this from pftop

pfTop: Up State 1-10937/10937, View: default, Order: bytes
PR    D SRC                  DEST                STATE  AGE  EXP  PKTS BYTES
tcp  I 192.168.1.2:38492    84.106.136.112:43945  4:4  18946 67465    9  382
tcp  O 192.168.1.2:38492    84.106.136.112:43945  4:4  18946 67465    9  382
tcp  I 192.168.1.2:39470    136.227.175.115:4361  4:4  18898 67512    9  382
tcp  O 192.168.1.2:39470    136.227.175.115:4361  4:4  18898 67512    9  382
tcp  I 192.168.1.2:40276    145.120.202.67:50512  4:4  18870 67541    9  382
tcp  O 192.168.1.2:40276    145.120.202.67:50512  4:4  18870 67541    9  382

Some times many from the same address

pfTop: Up State 1-10937/10937, View: default, Order: bytes
PR    D SRC                  DEST                STATE  AGE  EXP  PKTS BYTES
tcp  O 192.168.1.2:37692    202.99.241.162:12070  4:4  15447 70960    7  308
tcp  I 192.168.1.2:38942    202.99.241.162:12070  4:4  15376 71031    7  308
tcp  O 192.168.1.2:38942    202.99.241.162:12070  4:4  15376 71031    7  308
tcp  I 192.168.1.2:40213    202.99.241.162:12070  4:4  15305 71102    7  308
tcp  O 192.168.1.2:40213    202.99.241.162:12070  4:4  15305 71102    7  308
tcp  I 192.168.1.2:41507    202.99.241.162:12070  4:4  15234 71173    7  308

If I'm reading pftop correctly, many of these connections are 4 hours (15k+ seconds) old and are scheduled to expire more than a day(71k+ seconds) from now. I all ready know the offending program, Deluge. The DHT(distributed hash table) likes to make a lot of connections.

The UDP states are fine, but it seems a few offending external IP addresses have about 400+ TCP states each. So while PFSense shows about 8000 TCP connections, TCPView shows about 100.

It is curious to know how TCP can remain "established" when fewer than 400 bytes are sent via 7-8 packets over a time span of 4+ hours. Shouldn't those TCP connections have timed out by now?

edit:
I guess my questions are
Is this normal for PFSense?
If not, I assume I did something wrong, where should I look?
If it is, is there a way to force the expiration of an idle(no packets being ack'd) TCP connection after some amount of time? To me, lots of pointless(from my non-experienced perspective) connections just create noise.

Thanks!

I'm having so much fun with PFSense!

P.S. tried stopping the iperf "service" and it decided to use 100% cpu for a good 3 minutes before I finally shelled in and killed the pid.

Harvy66

I may have found what I was looking for

http://lists.pfsense.org/pipermail/list/2012-April/001952.html

Looks like an established TCP connection ha a VERY long time out. So my question is what benefit does this give me? Assuming my router can handle it, how can I use this to better manage/troubleshoot/diagnose/etc? I assume there is a reason for such long time outs. I think I read before that idle connections will get evicted if the state table starts getting full, so these states shouldn't hurt anything.

Thanks!