Can Erkin Acar recently announced the availability of "a small curses-based utility for real-time display of pf states and rules." The format of the generated output is quite similar to that of 'top', though in this case displaying information about PF, the packet filter introduced in OpenBSD 3.0. The utility is named 'pfTop'.

I tested the utility on my 64-bit Sparc Ultra 1 which runs OpenBSD 3.1, and was quite impresesed, in spite this being a very early release of the tool. While the program is running, pressing 'h' displays a help screen listing the available commands, and 'v' switches through seven different views of the available information. Details on compilation and a small view of the generated output follow.

---

Compiling pftop is a snap, as simple as extracting the source ball, moving into the new directory and typing 'make':

 $ tar xvfz pftop-0.1.tar.gz
  pftop-0.1
  pftop-0.1/Makefile
  pftop-0.1/pftop.1
  pftop-0.1/pftop.c
  $ cd pftop-0.1
  $ ls -l
  total 74
  -rw-r--r--  1 jandrews  wheel    233 Sep  3 04:50 Makefile
  -rwxr-xr-x  1 jandrews  wheel   5340 Sep  3 04:50 pftop.1
  -rw-r--r--  1 jandrews  wheel  29949 Sep  3 04:50 pftop.c
  $ make
  cc -O2   -Wall -DOS_LEVEL=31   -c pftop.c
  cc   -o pftop pftop.o -lcurses
  nroff -Tascii -mandoc pftop.1 > pftop.cat1
  $

Then, running the tool provides output similar looking to the familiar 'top', updating at regular intervals. (Note: you need to have read access to /dev/pf, meaning you'll probably need to be root)

  pfTop: State: 1 - 3 of 3
  Order: None  View: Default

   PR  DI SRC                  DEST                 STATE   AGE   EXP  PKTS BYTES
   TCP In 10.10.10.12:52401    10.10.10.13:22        4:4   1416 86400  1701  145K
   UDP Ou 10.10.10.13:8161     24.122.21.34:53       2:1      5    25     2   384
   UDP Ou 10.10.10.13:46699    24.122.21.34:53       2:1      5    25     2   312

This example shows three connections. The first is an incoming ssh connection, and the other two are outgoing name server lookups. This being a test server, there's not much activity.

What's shown above is only the default view. By typing 'v' there are several other views: 'Long', 'State', 'Time', 'Size', 'Rules' and 'Label'. Typing 'h' displays the following help screen:

   pfTop Help

      o  - change Ordering
      r  - change order diRection
      n  - No ordering
      a  - order by Age
      e  - order by Expiry time
      b  - order by number of Bytes
      p  - order by number of packets
      s  - order by Source address
      S  - order by Source port
      d  - order by Destination address
      D  - order by Destination port
      v  - change View
     0-4 - set state view
     5,6 - set rule view
      h  - Help (this page)
      q  - Quit

      cursor keys  - scroll display

      press any key to continue ...

After my minimal testing, I've already become quite convinced that this is an extremely useful little utility.

---

From: Can Erkin Acar
To: tech AT openbsd.org
Subject: New utility: pftop
Date: Tue, 3 Sep 2002 13:07:06 +0300

I have been working on a small curses-based utility for
real-time display of pf states and rules. I believe
it is now stable/useful enough.

Tested on i386, 3.0-stable and 3.1-current
not tested with ipv6 (but should work)

Please test and comment ...

http://www.eee.metu.edu.tr/~canacar/pftop-0.1.tar.gz

MD5 (pftop-0.1.tar.gz) = 026626663a15afc7a3f6d79fdb7d54a2

Can

Note: The program uses ${OSrev} in Makefile to adjust to
the changes in pf. However, for 3.1-current, the
value must be manually adjusted to enable a few
additional features (see comment in Makefile).

---

Related Links:

• Google archive of above thread