On 2012-04-25, Alan Corey <ab...@devio.us> wrote: > I'm on a modem, so there's only about 3 K/sec anyway, but is there > anything that'll show me at least pids of what's using bandwidth?
You can watch each packet with "match log(all,user)" in pf.conf and running "tcpdump -enipflog0 -v". The *second* pid reported shows the associated program. (The *first* pid is that of the pfctl instance which added the rule). Or it may be easier to use some other program to grab the bandwidth figures (darkstat, perhaps?) and then look in pflog to identify the pid, in which case the per-packet information is probably not useful so maybe just do "match log(user)" which will just show one entry for each state that was setup.
