Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Feb 2003 18:18:05 +0100
From:      Paul Schenkeveld <fb-isp@psconsult.nl>
To:        Wolfpaw - Dale Corse <admin-lists@wolfpaw.net>
Cc:        freebsd-bugs@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG
Subject:   Re: FW: Netstat byte counters, and IPFW (1 or 2) counters don't match
Message-ID:  <20030224181805.A43509@psconsult.nl>
In-Reply-To: <AJENJFOLCLAHHIIGCCHNMELOFIAA.admin-lists@wolfpaw.net>; from admin-lists@wolfpaw.net on Mon, Feb 24, 2003 at 09:35:22AM -0700
References:  <AJENJFOLCLAHHIIGCCHNMELOFIAA.admin-lists@wolfpaw.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

On Mon, Feb 24, 2003 at 09:35:22AM -0700, Wolfpaw - Dale Corse wrote:
>  Hi All,
>  
>   I tried posting this to freebsd-questions, but I have received no reply. So I thought I would try it as
>   a bug (and the ISP list too :), as that is what it appears to be to me. I am not subscribed to this list,
>   so if you could reply directly I would appreciate it :) Anyway .. here is the problem:
> 
>  I can't seem to find a reason for this.. but if I graph the values of fxp0 using netstat -bin, like this:
>  
>  Name  Mtu   Network       Address            Ipkts Ierrs     Ibytes    Opkts Oerrs     Obytes  Coll
>  fxp0  1500  <Link#1>    00:02:b3:bc:12:7c  3417242     0  232992484  3997590     0  764014344     0
>  
>  and IPFW-2 rules like this (I also tried ipfw 1, and ipf):
>  
>  00100     388827   18466235 count ip from any to any in via fxp0
>  00101     454678   80243192 count ip from any to any out via fxp0
>  
>  both with the same version of MRTG, the netstat version matches what my provider tells me I am using, but the
>  one using ipfw values is always 50 - 200 kbits/sec off. Does anyone know why? I am stumped :( I have tried

According to the numbers above, ipfw only counts 7.9% of all input
bytes and 10.5% of all output bytes counted by netstat.
Could it be that your (32-bit) counters have wrapped around?

I can think of there reasons for /small/ differences:

  - Netstat counts all bytes in the ethernet frame, ipfw probably only sees
    the IP packet minus ethernet header.

  - Netstat sees all protocols, ipfw only IP.  Other notable protocols that
    can offset your netstat counters:
      * CDP (Cisco Discovery Protocol, sent out on every Cisco port unless
	explicitely disabled in the config of the router/switch)
      * IPv6
      * IPX (are there any Novell servers or PCs with IPX enables in the
	subnet/broadcast domain).
      * Netbeui (any PC in the same subnet/broadcast domain with netbeui
	enabled).

It could well be a combination of several of these factors.  Make
sure both start counting at the same time (or zero both counters
simultaneously), look with 'tcpdump -ni <interface> not ip' to see all
protocols other than IP.

After evicting all PCs sending out IPX or Netbeui, kindly asking your
switch to not send CDP and taming all connected nodes to not use IPv6
should bring you a bit closer but the simple calculation:

  ipfw_no_of_bytes + ipfw_no_of_packets * ether_header_size

will still not give you thenumber of bytes as IP datagrams may be
fragmented and reassembled between the ethernet driver and the IP
layer.

>  using both ipfw 1, and ipfw 2 (counting only layer 3, and only layer 2, and both types (which was way off) of
>  packets).. and I have been unable to solve the problem :( The other odd thing being, it seems to be traffic that
>  is maybe not IP based.. because the graph on the uplink of the Cisco switch behind the firewall in question does
>  not see the traffic ethier.. but the Cisco 6509 in front of it sees it.. :/
>  
>  Please let me know if you have any ideas :)
>  
>  Thanks in advance :)
>  Dale.

Hope this helps you.

Regards,

Paul Schenkeveld, Consultant
PSconsult ICT Services BV

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030224181805.A43509>