On 2010-11-24, Elliott Barrere <[email protected]> wrote: > Hi all, maybe I'm failing to understand pftop, but I can't seem to reconcile > this. I run pftop -orate -vspeed (or just run it and switch to that view) and > I see one connection supposedly using a huge amount of bandwidth: > > PR DIR SRC DEST > RATE PEAK AVG BYTES STATE PKTS AGE > EXP RULE GW > udp In <remote>:2003 <local>:2003 > 4194304K 4194304K 6521 21691M MULTIPLE:MULTIPLE 34232870 968:45:45 > 00:00:59 * > > The thing is, I can't see where all the traffic is coming from. I try running > tcpdump -xni carp1 port 2003, and I see almost nothing (maybe one or two > packets every few seconds). ifstat shows almost no traffic for this interface > either. > > Perhaps I'm not understanding the meaning of "rate", but I assumed it to mean > Kbps throughput. The man pages for don't seem to have the answer either. Can > someone tell me how the rates are calculated and why they might not be > accurate for this connection? > > Thanks, > -elliott- > >
Make sure you're using a pftop binary which is in sync with the kernel you're using, rate does show as a more sensible value here (-current OS and packages). Or you could try "systat states" from the base system which has the same information and is more likely to be in-sync with the kernel. Also you would normally use tcpdump on the real interface rather than the carp interface. I'm not sure exactly what 'rate' signifies though..my best guess from the numbers would be something like packets per minute, but that seems a bit arcane. (btw 4194304 * 1K = 4294967296 = 2^32, obviously a bogus value here)
