Hello,
I'm currently trying to do some stats (max pps, max bps, etc) on a company
network traffic.
My setup is quite simple: all traffic going through the "external" interface of
a firewall is mirrored to a network interface on a server.
So I used netsniff-ng and ifpps at the same time on the server (approximatively
during 10 hours).
Here is the commands used:
- netsniff-ng
netsniff-ng -i eth3 -o /pcaps/ -s --prefix datacenter. --verbose --ring-size
64MiB --interval 1min --mmap -f /root/headers_only.bpfc
/root/headers_only.bpfc contains filters to only dump headers:
# cat /root/headers_only.bpfc
{ 0x20, 0, 0, 0xfffff034 },
{ 0x16, 0, 0, 0x00000000 },
- ifpps
ifpps -d eth3 -c -l > ifpps.csv
So I decide to take a look to the maximum traffic got with ifpps:
# grep "^[0-9]" /pcap/stats/ifpps.csv | cut -d' ' -f2 | sort -n | tail -1
30262932 (bytes)
It's corresponding to 12:19:25 UTC time.
When I take a look to the maximum traffic within the netsniff-ng dumps around
the same time I got a lot less traffic:
# tcpstat -r /pcaps/datacenter.1444652352.pcap 1 | awk '{print $5}' | cut -d'='
-f2 | sort -n | tail -1
121340528 (bps) ~= 15167566 bytes
Almost the same with tshark:
$ tshark -q -nr /pcaps/datacenter.1444652352.pcap -t ad -z io,stat,1 | grep
2015- | awk '{print $7}' | sort -n | tail -1
16297450 (bytes)
Same "issue" with pps and without bpfc filter for netsniff-ng.
So, am I missing something? Is it an expected behavior?
Any help would be really appreciate!
Thanks!
Thomas
My system:
netsniff-ng 0.5.8 (Debian package: 0.5.8-2)
Debian Jessie 64 bits (3.16.0-4-amd64)
eth3's module: tg3
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
