Quoting David Newman <[EMAIL PROTECTED]>:
Looking for info on seeing near-real-time or real-time info on TCP
connection states using pftop.
A 4.3-release box has pf rules that allow Windows Remote Desktop
connections from a handful of sources.
pftop shows entries something like the following:
PR D SRC DEST STATE AGE EXP
PKTS BYTES
tcp I 666.1.2.3:2048 666.4.5.6:3389 4:4 32387 57663 40930 10M
tcp O 666.1.2.3:2048 666.4.5.6:3389 4:4 32397 57653 40930 10M
Problem is, this RDC session ended more than two hours ago.
The pftop(8) manpage says the EXP column means there are more than
40,000 seconds left until these entries expire.
Is there some better way of monitoring current TCP connection states?
Perhaps the connection didn't close cleanly? You can use `pfctl -ss
-v` to show all the states and their ages, etc.
ps. Tangential, but where can I learn more about the "STATE" column
above? I don't see anything in the manpage about the meaning of "4:4"
but perhaps I missed it.
It seems to be the numerical representation of the state's status in
pf's state table, i.e. 4:4 == ESTABLISHED:ESTABLISHED. Grab putty or
something and maximize the window to see the descriptive versions.
--
Tim Donahue
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
