Date: Mon, 24 Feb 2003 18:18:05 +0100 From: Paul Schenkeveld <fb-isp@psconsult.nl> To: Wolfpaw - Dale Corse <admin-lists@wolfpaw.net> Cc: freebsd-bugs@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: FW: Netstat byte counters, and IPFW (1 or 2) counters don't match Message-ID: <20030224181805.A43509@psconsult.nl> In-Reply-To: <AJENJFOLCLAHHIIGCCHNMELOFIAA.admin-lists@wolfpaw.net>; from admin-lists@wolfpaw.net on Mon, Feb 24, 2003 at 09:35:22AM -0700 References: <AJENJFOLCLAHHIIGCCHNMELOFIAA.admin-lists@wolfpaw.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Mon, Feb 24, 2003 at 09:35:22AM -0700, Wolfpaw - Dale Corse wrote: > Hi All, > > I tried posting this to freebsd-questions, but I have received no reply. So I thought I would try it as > a bug (and the ISP list too :), as that is what it appears to be to me. I am not subscribed to this list, > so if you could reply directly I would appreciate it :) Anyway .. here is the problem: > > I can't seem to find a reason for this.. but if I graph the values of fxp0 using netstat -bin, like this: > > Name Mtu Network Address Ipkts Ierrs Ibytes Opkts Oerrs Obytes Coll > fxp0 1500 <Link#1> 00:02:b3:bc:12:7c 3417242 0 232992484 3997590 0 764014344 0 > > and IPFW-2 rules like this (I also tried ipfw 1, and ipf): > > 00100 388827 18466235 count ip from any to any in via fxp0 > 00101 454678 80243192 count ip from any to any out via fxp0 > > both with the same version of MRTG, the netstat version matches what my provider tells me I am using, but the > one using ipfw values is always 50 - 200 kbits/sec off. Does anyone know why? I am stumped :( I have tried According to the numbers above, ipfw only counts 7.9% of all input bytes and 10.5% of all output bytes counted by netstat. Could it be that your (32-bit) counters have wrapped around? I can think of there reasons for /small/ differences: - Netstat counts all bytes in the ethernet frame, ipfw probably only sees the IP packet minus ethernet header. - Netstat sees all protocols, ipfw only IP. Other notable protocols that can offset your netstat counters: * CDP (Cisco Discovery Protocol, sent out on every Cisco port unless explicitely disabled in the config of the router/switch) * IPv6 * IPX (are there any Novell servers or PCs with IPX enables in the subnet/broadcast domain). * Netbeui (any PC in the same subnet/broadcast domain with netbeui enabled). It could well be a combination of several of these factors. Make sure both start counting at the same time (or zero both counters simultaneously), look with 'tcpdump -ni <interface> not ip' to see all protocols other than IP. After evicting all PCs sending out IPX or Netbeui, kindly asking your switch to not send CDP and taming all connected nodes to not use IPv6 should bring you a bit closer but the simple calculation: ipfw_no_of_bytes + ipfw_no_of_packets * ether_header_size will still not give you thenumber of bytes as IP datagrams may be fragmented and reassembled between the ethernet driver and the IP layer. > using both ipfw 1, and ipfw 2 (counting only layer 3, and only layer 2, and both types (which was way off) of > packets).. and I have been unable to solve the problem :( The other odd thing being, it seems to be traffic that > is maybe not IP based.. because the graph on the uplink of the Cisco switch behind the firewall in question does > not see the traffic ethier.. but the Cisco 6509 in front of it sees it.. :/ > > Please let me know if you have any ideas :) > > Thanks in advance :) > Dale. Hope this helps you. Regards, Paul Schenkeveld, Consultant PSconsult ICT Services BV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030224181805.A43509>