OpenBSD: Top-Like PF Monitor

Can Erkin Acar recently announced the availability of "a small curses-based utility for real-time display of pf states and rules." The format of the generated output is quite similar to that of 'top', though in this case displaying information about PF [1], the packet filter introduced in OpenBSD 3.0. The utility is named 'pfTop [2]'.

I tested the utility on my 64-bit Sparc Ultra 1 which runs OpenBSD 3.1, and was quite impresesed, in spite this being a very early release of the tool. While the program is running, pressing 'h' displays a help screen listing the available commands, and 'v' switches through seven different views of the available information. Details on compilation and a small view of the generated output follow.

Compiling pftop is a snap, as simple as extracting the source ball, moving into the new directory and typing 'make':

 $ tar xvfz pftop-0.1.tar.gz
  pftop-0.1
  pftop-0.1/Makefile
  pftop-0.1/pftop.1
  pftop-0.1/pftop.c
  $ cd pftop-0.1
  $ ls -l
  total 74
  -rw-r--r--  1 jandrews  wheel    233 Sep  3 04:50 Makefile
  -rwxr-xr-x  1 jandrews  wheel   5340 Sep  3 04:50 pftop.1
  -rw-r--r--  1 jandrews  wheel  29949 Sep  3 04:50 pftop.c
  $ make
  cc -O2   -Wall -DOS_LEVEL=31   -c pftop.c
  cc   -o pftop pftop.o -lcurses
  nroff -Tascii -mandoc pftop.1 > pftop.cat1
  $

Then, running the tool provides output similar looking to the familiar 'top', updating at regular intervals. (Note: you need to have read access to /dev/pf, meaning you'll probably need to be root)

  pfTop: State: 1 - 3 of 3
  Order: None  View: Default

   PR  DI SRC                  DEST                 STATE   AGE   EXP  PKTS BYTES
   TCP In 10.10.10.12:52401    10.10.10.13:22        4:4   1416 86400  1701  145K
   UDP Ou 10.10.10.13:8161     24.122.21.34:53       2:1      5    25     2   384
   UDP Ou 10.10.10.13:46699    24.122.21.34:53       2:1      5    25     2   312

This example shows three connections. The first is an incoming ssh connection, and the other two are outgoing name server lookups. This being a test server, there's not much activity.

What's shown above is only the default view. By typing 'v' there are several other views: 'Long', 'State', 'Time', 'Size', 'Rules' and 'Label'. Typing 'h' displays the following help screen:

   pfTop Help

      o  - change Ordering
      r  - change order diRection
      n  - No ordering
      a  - order by Age
      e  - order by Expiry time
      b  - order by number of Bytes
      p  - order by number of packets
      s  - order by Source address
      S  - order by Source port
      d  - order by Destination address
      D  - order by Destination port
      v  - change View
     0-4 - set state view
     5,6 - set rule view
      h  - Help (this page)
      q  - Quit

      cursor keys  - scroll display

      press any key to continue ...

After my minimal testing, I've already become quite convinced that this is an extremely useful little utility.

From: Can Erkin Acar
To: tech AT openbsd.org
Subject: New utility: pftop
Date: Tue, 3 Sep 2002 13:07:06 +0300

I have been working on a small curses-based utility for
real-time display of pf states and rules. I believe
it is now stable/useful enough.

Tested on i386, 3.0-stable and 3.1-current
not tested with ipv6 (but should work)

Please test and comment ...

http://www.eee.metu.edu.tr/~canacar/pftop-0.1.tar.gz [3]

MD5 (pftop-0.1.tar.gz) = 026626663a15afc7a3f6d79fdb7d54a2

Can

Note: The program uses ${OSrev} in Makefile to adjust to
the changes in pf. However, for 3.1-current, the
value must be manually adjusted to enable a few
additional features (see comment in Makefile).