On 10/13/2015 11:37 AM, tmartin...@gmail.com wrote:
Hello,
I'm currently trying to do some stats (max pps, max bps, etc) on a company
network traffic.
My setup is quite simple: all traffic going through the "external" interface of
a firewall is mirrored to a network interface on a server.
So I used netsniff-ng and ifpps at the same time on the server (approximatively
during 10 hours).
Here is the commands used:
- netsniff-ng
netsniff-ng -i eth3 -o /pcaps/ -s --prefix datacenter. --verbose --ring-size
64MiB --interval 1min --mmap -f /root/headers_only.bpfc
/root/headers_only.bpfc contains filters to only dump headers:
# cat /root/headers_only.bpfc
{ 0x20, 0, 0, 0xfffff034 },
{ 0x16, 0, 0, 0x00000000 },
- ifpps
ifpps -d eth3 -c -l > ifpps.csv
So I decide to take a look to the maximum traffic got with ifpps:
# grep "^[0-9]" /pcap/stats/ifpps.csv | cut -d' ' -f2 | sort -n | tail -1
30262932 (bytes)
It's corresponding to 12:19:25 UTC time.
When I take a look to the maximum traffic within the netsniff-ng dumps around
the same time I got a lot less traffic:
# tcpstat -r /pcaps/datacenter.1444652352.pcap 1 | awk '{print $5}' | cut -d'='
-f2 | sort -n | tail -1
121340528 (bps) ~= 15167566 bytes
Yes, that would be expected. The reason is that ifpps dumps the stats from the
NIC
while tcpstat looks at the pcap file, where you only dump the headers. So when
the
BPF filter truncates the packet, the new, truncated length is written to the
pcap
file.
Almost the same with tshark:
$ tshark -q -nr /pcaps/datacenter.1444652352.pcap -t ad -z io,stat,1 | grep
2015- | awk '{print $7}' | sort -n | tail -1
16297450 (bytes)
Same "issue" with pps and without bpfc filter for netsniff-ng.
So, am I missing something? Is it an expected behavior?
Any help would be really appreciate!
Thanks!
Thomas
My system:
netsniff-ng 0.5.8 (Debian package: 0.5.8-2)
Debian Jessie 64 bits (3.16.0-4-amd64)
eth3's module: tg3
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
