pf display of TCP states
0 views
Skip to first unread message
Doug Hardie
Aug 14, 2025, 2:04:26 AMAug 14
to ques...@freebsd.org
I am confused about the pftop output shown below. In both cases there are significant differences between the source and destination states. In both cases the source is a remote client and the destination is my server. Referring to the TCP state diagram from TCP/IP Illustrated, Volumes 1 and 2, I don't see how the two sides could get that far apart.
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp I 202.133.61.102:18950 10.0.1.230:25 9:4 472 735 15 1296
In the case above the source is in FIN_WAIT_2. The destination is in ESTABLISHED. This implies that the source sent a FIN that the destination never received. The source should then be in FIN_WAIT_1. In order for the source to move to FIN_WAIT_2 it needed to receive an ACK from the destination. However, if the destination had sent an ACK, it would be in CLOSE_WAIT.
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp I 34.141.245.225:57456 10.0.1.230:25 4:9 27 894 15 1329
In this case above, the states are reversed. This is even more confusing as it shows the destination in FIN_WAIT_2. However, to get there it would have to go through FIN_WAIT_1. Both of those states are for the client, not the server. I have not managed to catch the destination states of CLOSE_WAIT or LAST_ACK which are the server states during the connection teardown. I only see the client states for the destination.
I will admit that I have not really dealt with the TCP internals since the early 90's where the company I worked for used the Motorola TCP/IP stack which was stripped down for use in imbedded systems. I am sure things have changed a bit since then, but the states I am seeing seem a bit unusual and contrary to the documentation I have available.
-- Doug
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp I 202.133.61.102:18950 10.0.1.230:25 9:4 472 735 15 1296
In the case above the source is in FIN_WAIT_2. The destination is in ESTABLISHED. This implies that the source sent a FIN that the destination never received. The source should then be in FIN_WAIT_1. In order for the source to move to FIN_WAIT_2 it needed to receive an ACK from the destination. However, if the destination had sent an ACK, it would be in CLOSE_WAIT.
PR D SRC DEST STATE AGE EXP PKTS BYTES
tcp I 34.141.245.225:57456 10.0.1.230:25 4:9 27 894 15 1329
In this case above, the states are reversed. This is even more confusing as it shows the destination in FIN_WAIT_2. However, to get there it would have to go through FIN_WAIT_1. Both of those states are for the client, not the server. I have not managed to catch the destination states of CLOSE_WAIT or LAST_ACK which are the server states during the connection teardown. I only see the client states for the destination.
I will admit that I have not really dealt with the TCP internals since the early 90's where the company I worked for used the Motorola TCP/IP stack which was stripped down for use in imbedded systems. I am sure things have changed a bit since then, but the states I am seeing seem a bit unusual and contrary to the documentation I have available.
-- Doug
Reply all
Reply to author
Forward
0 new messages