On 6/12/08 9:14 PM, Tim Donahue wrote:
Quoting David Newman <[EMAIL PROTECTED]>:
Looking for info on seeing near-real-time or real-time info on TCP
connection states using pftop.
A 4.3-release box has pf rules that allow Windows Remote Desktop
connections from a handful of sources.
pftop shows entries something like the following:
PR D SRC DEST STATE AGE EXP
PKTS BYTES
tcp I 666.1.2.3:2048 666.4.5.6:3389 4:4 32387 57663 40930
10M
tcp O 666.1.2.3:2048 666.4.5.6:3389 4:4 32397 57653 40930
10M
Problem is, this RDC session ended more than two hours ago.
The pftop(8) manpage says the EXP column means there are more than
40,000 seconds left until these entries expire.
Is there some better way of monitoring current TCP connection states?
Perhaps the connection didn't close cleanly? You can use `pfctl -ss -v`
to show all the states and their ages, etc.
Yes, that may be the issue. IE (along with some but not all other apps
in Windows XP) close TCP connections with a RST rather than a FIN. In
some cases I'm seeing a mismatch between pfctl and pftop readings, with
the latter claiming a TCP connection is still around even after it's
long gone. At least for me, pfctl provides more up-to-date reporting.
ps. Tangential, but where can I learn more about the "STATE" column
above? I don't see anything in the manpage about the meaning of "4:4"
but perhaps I missed it.
It seems to be the numerical representation of the state's status in
pf's state table, i.e. 4:4 == ESTABLISHED:ESTABLISHED. Grab putty or
something and maximize the window to see the descriptive versions.
Yes, that works, thanks. I'm going to contact Can Acar offlist to see
about contributing more detail to the manpage.
dn
