Re: [pmacct-discussion] pmacct measures less traffic than ethereal does

Tue, 09 Jan 2007 07:30:26 -0800 

Dear Paolo,

many thanks for your fast reply!

Paolo Lucente schrieb am 2007-01-05 um 22:09 Uhr:
> Also, don't forget to compare what Ethereal and pmacct say with any 
> third-party
> software. 

Good idea with great results: I tried "ipfm" as third-party
accounting. In this tests I copied 3 Files via "scp
Host1:/boot/vmlinuz* ." (from host2) and monitored the traffic between
Host1 and Host2. I did a lot of testing and here are the results:

Test #1

    tcpdump filename: tcp.dump.1

    Ethereal IPv4 Conversations (anylzing the tcpdumped file):
        Host1 TX: 3672128 bytes (2480 pkts)
        Host1 RX:   88458 bytes (1293 pkts)

    ipfm (directly listening on NIC sis1 of my gateway):
        Host1 TX: 3638164 bytes (ipfm has no packet counters)
        Host1 RX:   71109 bytes

    softflowd/nfacctd (with softflowd directly listening on NIC sis1 of my 
gateway):
        Host1 TX: 3560192 bytes (2427 pkts)
        Host1 RX:   69317 bytes (1263 pkts)

Three different values? Unbelivable! Let's try this:

    softflowd/nfacctd (with softflowd analyzing tcp.dump.1):
        Host1 TX: 3638164 bytes (2482 pkts)
        Host1 RX:   71109 bytes (1295 pkts)

Hey, softflowd directly sniffing results in other values than
softflowd reading from a tcpdump capture file?!? Softflowd is
suspicios! And the last two measurements result in the same values!
I'm trying pmacctd instead of softflowd/nfacctd:

Test #2

    tcpdump filename: tcp.dump.2

    Ethereal IPv4 Conversations (anylzing the tcpdumped file):
        Host1 TX: 3670844 bytes (2486 pkts)
        Host1 RX:   87996 bytes (1286 pkts)

    ipfm (directly listening on NIC sis1 of my gateway):
        Host1 TX: 3636796 bytes (ipfm has no packet counters)
        Host1 RX:   70745 bytes

    pmacctd (directly listening on NIC sis1 of my gateway):
        Host1 TX: 3636796 bytes (2488 pkts)
        Host1 RX:   70745 bytes (1288 pkts)

    pmacctd (analyzing the tcpdumped file):
        Host1 TX: 3636796 bytes (2488 pkts)
        Host1 RX:   70745 bytes (1288 pkts)

Gotcha! Hahaha! Thank you paolo!

I still don't really understand, why ethereal show's different values
than pmacct and ipfm. Is there another way to calculate IP traffic
instead of counting IP headers and IP payload? Maybe I'll understand
this one day, but meanwhile I'll be happy that pmacct does a great
job!

Thank you very much, paolo! For pmacct and for your help!

best regards,
Seastian


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to