Pfstat

From freebsd.xn--wesstrm-f1a.se

Jump to: navigation, search

Contents

Overview

Pfstat is a small application that specifically queries pf for statistics. It knows about all the features of pf that a general framework like SNMP doesn't. Pfstat collects the data in a database and produces graphs from it, but nothing more. You have to create the web pages displaying the graphs yourself but that is outside the scope of this tutorial.

Instructions

Installation follows the usual routine.

# cd /usr/ports/sysutils/pfstat
# make
# make install clean
# rehash

Create /usr/local/etc/pfstat.conf and paste the contents below into this file. It's adapted from Daniel Hartmeier's example at http://www.benzedrine.cx/pfstat.html and you can add as many graph producing sections as you like, spanning different time intervals. The ones in the example here only produce graphs spanning the last day. You have to adjust the name of your external interface and the location to store the images and you also have to create that folder or the script will error out.

# /usr/local/etc/pfstat.conf

# collect
#   global
#     states entries|searches|inserts|removals [diff]
#     counters match|bad-offset|fragment|...|synproxy [diff]
#              (see pfctl -si output, same strings)
#   interface name pass|block packets|bytes in|out v4|v6 [diff]
#   queue name passed|dropped|other packets|bytes|number [diff]

collect 1 = interface "em1" pass bytes in ipv4 diff
collect 2 = interface "em1" pass bytes out ipv4 diff
collect 3 = global states entries

image "/usr/home/myweb/public_html/pp.dyndns.biz/www/pfstat/pfstat.jpg" {
        from 1 days to now
        width 980 height 300
        left
                graph 1 bps "in" "bits/s" color 0 192 0 filled,
                graph 2 bps "out" "bits/s" color 0 0 255
        right
                graph 3 "states" "entries" color 192 192 0
}

collect 4 = interface "em1" pass packets in ipv4 diff
collect 5 = interface "em1" pass packets out ipv4 diff
collect 6 = interface "em1" block packets in ipv4 diff
collect 7 = interface "em1" block packets out ipv4 diff

image "/usr/home/myweb/public_html/pp.dyndns.biz/www/pfstat/pfstat-packets.jpg" {
        from 1 days to now
        width 980 height 300
        left
                graph 4 "pass in"   "packets/s" color 0 192 0 filled,
                graph 5 "pass out"  "packets/s" color 0 0 255
        right
                graph 6 "block in"  "packets/s" color 255 0 0,
                graph 7 "block out" "packets/s" color 192 192 0
}

collect  8 = global states inserts  diff
collect  9 = global states removals diff
collect 10 = global states searches diff

image "/usr/home/myweb/public_html/pp.dyndns.biz/www/pfstat/pfstat-states.jpg" {
        from 1 days to now
        width 980 height 300
        left
                graph 8 "inserts" "states/s" color 0 192 0 filled,
                graph 9 "removals" "states/s" color 0 0 255
        right
                graph 10 "searches" "states/s" color 255 0 0
}

collect 11 = queue "q_p2" pass bytes diff
collect 12 = queue "q_p1" pass bytes diff
collect 13 = queue "q_p2p" pass bytes diff
collect 14 = queue "q_def" pass bytes diff

image "/usr/home/myweb/public_html/pp.dyndns.biz/www/pfstat/pfstat-queues.jpg" {
        from 1 days to now
        width 980 height 300
        left
                graph 11 bps "q_p2" "bits/s" color 255 0 0,
                graph 12 bps "q_p1" "bits/s" color 192 192 0,
                graph 13 bps "q_p2p" "bits/s" color 0 192 0,
                graph 14 bps "q_def" "bits/s" color 0 0 255 
}

collect 15 = global counters match          diff
collect 16 = global counters bad-offset     diff
collect 17 = global counters fragment       diff
collect 18 = global counters short          diff
collect 19 = global counters normalize      diff
collect 20 = global counters memory         diff
collect 21 = global counters bad-timestamp  diff
collect 22 = global counters congestion     diff
collect 23 = global counters ip-option      diff
collect 24 = global counters proto-cksum    diff
collect 25 = global counters state-mismatch diff
collect 26 = global counters state-insert   diff
collect 27 = global counters state-limit    diff
collect 28 = global counters src-limit      diff
collect 29 = global counters synproxy       diff

image "/usr/home/myweb/public_html/pp.dyndns.biz/www/pfstat/pfstat-errors.jpg" {
        from 1 days to now
        width 980 height 300
        left
                graph 17 "frag" "/s" color 192 0 192,
                graph 22 "cong" "/s" color 0 192 192,
                graph 23 "iopt" "/s" color 0 0 255,
                graph 24 "csum" "/s" color 192 192 0,
                graph 25 "mism" "/s" color 255 0 0
#               others are usually all zero here
        right
                graph 15 "match" "/s" color 0 192 0
}

Now you have to add a crontab job that runs pfstat once every five minutes.

*/5 * * * *	/usr/local/bin/pfstat -q -p -d /usr/local/var/db/pfstat.db
Pfstat.jpg
The pfstat-queues.jpg graph is particularly useful to you since it shows how the outgoing bandwidth is split between your different queues. It clearly shows how your higher priority queues automatically allocate the bandwidth they need at the expense of the lower priority queues, like in the example included here.

Summary

  • /usr/local/etc/pfstat.conf is the config file for pfstat.
  • Default location for the database is <tt>/var/db/pfstat.db but should be moved to /usr/local/var/db/pfstat.db, as is done in this example, since space on /var is limited.

References

Personal tools