Lots of states and reading pftop
-
I have about 9000 "established" TCP states that look like this from pftop
pfTop: Up State 1-10937/10937, View: default, Order: bytes
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp I 192.168.1.2:38492 84.106.136.112:43945 4:4 18946 67465 9 382
tcp O 192.168.1.2:38492 84.106.136.112:43945 4:4 18946 67465 9 382
tcp I 192.168.1.2:39470 136.227.175.115:4361 4:4 18898 67512 9 382
tcp O 192.168.1.2:39470 136.227.175.115:4361 4:4 18898 67512 9 382
tcp I 192.168.1.2:40276 145.120.202.67:50512 4:4 18870 67541 9 382
tcp O 192.168.1.2:40276 145.120.202.67:50512 4:4 18870 67541 9 382Some times many from the same address
pfTop: Up State 1-10937/10937, View: default, Order: bytes
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp O 192.168.1.2:37692 202.99.241.162:12070 4:4 15447 70960 7 308
tcp I 192.168.1.2:38942 202.99.241.162:12070 4:4 15376 71031 7 308
tcp O 192.168.1.2:38942 202.99.241.162:12070 4:4 15376 71031 7 308
tcp I 192.168.1.2:40213 202.99.241.162:12070 4:4 15305 71102 7 308
tcp O 192.168.1.2:40213 202.99.241.162:12070 4:4 15305 71102 7 308
tcp I 192.168.1.2:41507 202.99.241.162:12070 4:4 15234 71173 7 308If I'm reading pftop correctly, many of these connections are 4 hours (15k+ seconds) old and are scheduled to expire more than a day(71k+ seconds) from now. I all ready know the offending program, Deluge. The DHT(distributed hash table) likes to make a lot of connections.
The UDP states are fine, but it seems a few offending external IP addresses have about 400+ TCP states each. So while PFSense shows about 8000 TCP connections, TCPView shows about 100.
It is curious to know how TCP can remain "established" when fewer than 400 bytes are sent via 7-8 packets over a time span of 4+ hours. Shouldn't those TCP connections have timed out by now?
edit:
I guess my questions are
Is this normal for PFSense?
If not, I assume I did something wrong, where should I look?
If it is, is there a way to force the expiration of an idle(no packets being ack'd) TCP connection after some amount of time? To me, lots of pointless(from my non-experienced perspective) connections just create noise.Thanks!
I'm having so much fun with PFSense!
P.S. tried stopping the iperf "service" and it decided to use 100% cpu for a good 3 minutes before I finally shelled in and killed the pid.
-
I may have found what I was looking for
http://lists.pfsense.org/pipermail/list/2012-April/001952.html
Looks like an established TCP connection ha a VERY long time out. So my question is what benefit does this give me? Assuming my router can handle it, how can I use this to better manage/troubleshoot/diagnose/etc? I assume there is a reason for such long time outs. I think I read before that idle connections will get evicted if the state table starts getting full, so these states shouldn't hurt anything.
Thanks!