From owner-freebsd-questions@FreeBSD.ORG  Fri Nov  9 17:19:50 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 01CA616A418
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Nov 2007 17:19:50 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 7DF3213C48E
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Nov 2007 17:19:47 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id EAA09765;
	Sat, 10 Nov 2007 04:19:36 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sat, 10 Nov 2007 04:19:35 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Eric F Crist <ecrist@secure-computing.net>
In-Reply-To: <20071107120028.C9BB716A4A1@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.1071110022651.25221A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: IPFW show format question...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2007 17:19:50 -0000

On Tue, 6 Nov 2007 Eric F Crist <ecrist@secure-computing.net> wrote:
 > So, everything I've read says that ipfw show displays rule number,  
 > packets caught, bytes matched, and rule.  The problem I'm having is  
 > that it seems that the bytes, at least on some rules, is way out of  
 > whack.  I'm capturing this data for cacti, and trying to display  
 > accumulated ipfw traffic.
 > 
 > If I zero my counters and download a file via FTP, the downloaded  
 > sizes don't even compare.  61MB into the download, if I convert the  
 > ipfw show from the supposed bytes into MB, it says I've downloaded  
 > 155MB.

Catching up on a few days' digests, and seeing noone else having a go:

It helps to show rather than tell about your rules, but I'll guess that
you're not distinguishing between inbound and outbound traffic, ie your
rules are counting packets both on the way in (pass 1) and out (pass 2)

Eg allowing traffic using 'via' (qualified neither by 'in' nor 'out') 
allows (so, counts) a packet on both passes .. as may stateful rules.

Separate counts before allowing traffic can be best for accounting, eg

 add $n1 count ip from $outthere to $inhere in recv $some_if
 add $n2 count ip from $inhere to $outthere out xmit $some_if
 [..]
 add allow $whatever ..

HTH, Ian