 I've used PFTop in a lot of my videos. I've included it in my tool video for tools for troubleshooting PFSense. And I want to do a video specifically on it just to cover real quick a couple of the ways you build things and expand upon it a little bit of how you would build filters so you can understand what's going on. So PFTop is the active packet filter display for VSD and it is built into PFSense. They've done a nice job with the Web Interface on it, so you don't have to remember all the command line from it, but it does run as a command line utility. You can view the labels, long, queue, rule, size, state, and speed. And I have my production firewall over here as I want to show you. You can use it also for just tracking the queue when you're doing things like I am here. This is my setup for how we're routing VoIP traffic. So as we see the VoIP traffic passing back and forth, we can see how many bytes are in the queue based on what it's doing. So like I said, it's a great tool when you're troubleshooting firewall rules. And specifically related to rules, when we switch it over to the rule sets, you can then see what's being dropped and what's going through the rules. If you are doing any advanced firewall work, especially with PFSense, PFTop is just a great go-to utility for doing these things, which is why I'm covering today. So we're going to change a view back to default. And just so you know, if you ever want to see it inside a PFSense in the command line, SSH in here. This is what it looks like from here. So it sees the same thing, whether you do it from the command line or not, we're going to change seconds to delay to that. We press F for filter, host 192.683.9, which is my computer. And I can see the TCP connection I have over SSH on port 222 for this particular machine in here. So it's, like I said, whatever way you want to use it, it works much the same way. They've just set a nice job of putting it in so you don't have to run it from the command line or do it in the terminal. But either way does work. Let's get this back out of the way. Clear. First thing we'll do is show you how you build the filters. So the filter's really easy. We're going to go ahead and filter for a specific host. And you just put host 192.168.4112. No connection to that host right now. It's a Linux Debian load, clean load. So it doesn't really do much right now. It's just kind of chilling out there. And we'll go ahead and SSH into it. So we're passing through the firewall. It's at 40.112. There's a NAT rule to get it from 3.150. And if you can read that up here, that's the firewall name, our firewall IP address, and we're SSH in. And it takes a second. Boom, now we see the TCP connection. Now, if I wanted to show everything but this host, so we've now established this is the only thing that this host is showing. But if you wanted to invert that information, we could just put an exclamation point in front. That means show me anything except that host. So when you're building the expressions and they have all the details for building expressions down here in a man page, always take the time to read the man. Use this tool a lot because once you get used to using it, it's pretty handy. But this is how you can do not and or or. So when you want to build this information, so when I want to see this host, just change that to and protocol TCP. There we go. So now we filtered it for that and protocol TCP. What about if we did for protocol UDP? Oops, I guess we'll UDP right. Search protocol UDP. All right, now there's not really any connections. But we have DNS perf loaded in here. We're going to go ahead and DNS perf is just a free little utility that's on GitHub and it does a DNS test. So it's going to do a whole lot of lookups, which of course is going to fill our screen with all the different connections on there. And if we said just show me things that aren't UDP back to putting an exclamation point in front of it, I think you can use the word not. Yeah, that works too. So not UDP or exclamation point like they show down here. So pretty straightforward to do that. Now a couple more advanced things you can do with PFTOP establish things like a entire network. So you want to see, and especially if you have multiple networks, multiple VLANs, it really doesn't matter any defined network in PF sense. It doesn't matter if it's an actual network card or a VLAN, you can say things like this. You can say net one, two, one, six, eight, dot 40, dot whoops, dot zero slash 24. So it can show me that particular net. Now this works with not just local networks. We can say what's going to this particular network block? So if you have something going to a particular external network block, that's an option to be able to do there. And this is actually the Microsoft network block. Now what I do is I have a Windows 10 machine. We're going to show how that views there. So we're going to pull this up real quick. And we're going to restart this Windows 10 machine. I purposely didn't use anything other than the console for my VM manager here, which is an orchestra. So we're going to watch what happens and the call outs it has when it starts booting up. And in fact, we'll actually use filter for this particular host, which is this. So here's all the connections getting established for that particular host. They were already established because it was running. It's going to establish a lot more of them. So instead of sort by this, we're going to start by expiration. And we have all these new connections that are coming up right now as this boots. So all right, that's booted. And we'll try that other one here, that net one. And here we are. We're able to see that it's trying to connect to this network. Now if you didn't know the 40 block right here, slash 12, 40.80.0.0 slash 12, that happens to be Microsoft's network. And whenever a Windows 10 machine boots up, it's one of the many networks it calls out to. Matter of fact, when we had that as a host here, so bring it back to that host. You can see how many connections this machine has decided to call out on. And that's just the nature of Windows. It does that. Now a few other things you can do when you're trying to trace out something. If you know the destination part, if you're using some custom application, you can look for, whoops, I typed in protocol, I meant to type in port or 43. And you can look for maybe things that are only doing SSH, or I'm sorry, HTTPS connections, or SSH connections on port 22. We only want to see things on the network doing that. And maybe you have too many things on there, then you would start building again on top of their support 22 and host 192 and 6840.112. So now we can say, all right, only show me any SSH connection related to that particular host. At least this is a great utility. It's not hard to use, but that's what I want to make sure is you just understood how to build the filter expressions. They give you a handy little reminder here. And as long as your problem isn't not getting online, you can click the link right here, it brings you to the man page. So you can start building your advanced tools. It doesn't do any long-term logging, it's not a logging utility, it's just a filtering utility for active connections and where they're going and what the state of that expression is, or state of that connection is. So it tells you if it's established, if it's weight and what it's actually doing. But great way to figure out where things are going and just really helpful when you're trying to figure out why there are so many connections to this IP address. I'm gonna go on a limb here before we exit that if I did a who is, no, that's Akamai. Something else Windows he says to talk to apparently reaches out to the Akamai Content Delivery Network as well, wow, it has a lot of connections. That's why you need this filter to really try to filter things out. There's a lot of connections. This is only two computers on my lab network here. If I pull it up on our main network, this is, without filtering it, you just can't look through all the connections on there. All right, hopefully this is helpful. Get playing with PFTop, it's great for learning, it's great for understanding packet states and how things are going and it's a great handy utility. I'm so happy it's built into PF Sense because it's great little Swiss Army knife to start troubleshooting things. Thanks for watching. If you enjoyed this video, go ahead and hit the thumbs up. If you wanna see more content from my channel, go ahead and hit subscribe and the bell icon and hopefully YouTube will send you a notice. If you're interested in contracting launch systems for any type of IT services work or consulting, work, go ahead and head over to launchsystems.com and fill out our contact and get in touch with us. If you would like to help the channel out in other ways, you can use our affiliate links below in the description or we have a link directly to our launch systems page where we have a list of different affiliate offers and it's very appreciated if you use any of those for signing up any of the services and many of them offer you discounts. If you wanna head over to our forums, there'll be a link in the description for our forums, wherever they may be, because we've been looking at different forum platforms but they'll always be relevantly linked right there. All right, once again, thanks. Leave some feedback and comments below on this video. If you loved it, if you hated it, I try to reply to everyone, the people who hate and the people who love them. So thank you very much and see you next time.