Re: [netsniff-ng] Stats differences between ifpps and netsniff-ng.

2015-10-13 Thread Daniel Borkmann 

On 10/13/2015 11:37 AM, tmartin...@gmail.com wrote:

Hello,

I'm currently trying to do some stats (max pps, max bps, etc) on a company 
network traffic.

My setup is quite simple: all traffic going through the "external" interface of 
a firewall is mirrored to a network interface on a server.

So I used netsniff-ng and ifpps at the same time on the server (approximatively 
during 10 hours).


Here is the commands used:
- netsniff-ng
netsniff-ng -i eth3 -o /pcaps/ -s --prefix datacenter. --verbose --ring-size 
64MiB --interval 1min --mmap -f /root/headers_only.bpfc

/root/headers_only.bpfc contains filters to only dump headers:
# cat /root/headers_only.bpfc
{ 0x20, 0, 0, 0xf034 },
{ 0x16, 0, 0, 0x },


- ifpps
ifpps -d eth3 -c -l > ifpps.csv


So I decide to take a look to the maximum traffic got with ifpps:
# grep "^[0-9]" /pcap/stats/ifpps.csv | cut -d' ' -f2 | sort -n | tail -1
30262932 (bytes)

It's corresponding to 12:19:25 UTC time.


When I take a look to the maximum traffic within the netsniff-ng dumps around 
the same time I got a lot less traffic:
# tcpstat -r /pcaps/datacenter.1444652352.pcap 1 | awk '{print $5}' | cut -d'=' 
-f2 | sort -n | tail -1
121340528 (bps) ~= 15167566 bytes


Yes, that would be expected. The reason is that ifpps dumps the stats from the 
NIC
while tcpstat looks at the pcap file, where you only dump the headers. So when 
the
BPF filter truncates the packet, the new, truncated length is written to the 
pcap
file.


Almost the same with tshark:
$ tshark -q -nr /pcaps/datacenter.1444652352.pcap -t ad -z io,stat,1 | grep 
2015- | awk '{print $7}' | sort -n | tail -1
16297450 (bytes)



Same "issue" with pps and without bpfc filter for netsniff-ng.

So, am I missing something? Is it an expected behavior?


Any help would be really appreciate!

Thanks!

Thomas


My system:
netsniff-ng 0.5.8 (Debian package: 0.5.8-2)
Debian Jessie 64 bits (3.16.0-4-amd64)
eth3's module: tg3



--
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] Stats differences between ifpps and netsniff-ng.

2015-10-13 Thread Tobias Klauser 
On 2015-10-13 at 14:47:28 +0200, tmartin...@gmail.com  
wrote:
> Le mardi 13 octobre 2015 14:02:45 UTC+2, Tobias Klauser a écrit :
> >
> > ifpps reports the NIC the cummulative stats since start of the system 
> > (i.e. the info from /proc/net/dev), so you'll probably also be seeing 
> > the stats from your previous attempts unless you reboot in between the 
> > trials (or for some NIC drivers reloading the driver module might have 
> > the same effect). 
> >
> > Cheers 
> > Tobias 
> >
> 
> Hello Tobias,
> 
> In my example I used the second columns of the csv output which corresponds 
> to "rx-bytes-per-t".
> 
> As far as I understand (I didn't check the source) it will be calculate 
> like:
> rx-bytes-per-t = n - n-1
> 
> where n is the value retrieved from /proc/net/dev and n-1 the previous 
> value retrieved (in my case t=1000 ms).

How periodic is the traffic you recieve?

How does it look if you average the values for RX bytes/t?

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] Stats differences between ifpps and netsniff-ng.

2015-10-13 Thread tmartincpp 
Le mardi 13 octobre 2015 14:02:45 UTC+2, Tobias Klauser a écrit :
>
> ifpps reports the NIC the cummulative stats since start of the system 
> (i.e. the info from /proc/net/dev), so you'll probably also be seeing 
> the stats from your previous attempts unless you reboot in between the 
> trials (or for some NIC drivers reloading the driver module might have 
> the same effect). 
>
> Cheers 
> Tobias 
>

Hello Tobias,

In my example I used the second columns of the csv output which corresponds 
to "rx-bytes-per-t".

As far as I understand (I didn't check the source) it will be calculate 
like:
rx-bytes-per-t = n - n-1

where n is the value retrieved from /proc/net/dev and n-1 the previous 
value retrieved (in my case t=1000 ms).


So I don't understand why I need to reboot or reload the module for this 
statistic (I get it if I was checking rx-bytes instead of rx-bytes-per-t 
but I'm not).

Thanks!

Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] Stats differences between ifpps and netsniff-ng.

2015-10-13 Thread Tobias Klauser 
On 2015-10-13 at 14:47:28 +0200, tmartin...@gmail.com  
wrote:
> Le mardi 13 octobre 2015 14:02:45 UTC+2, Tobias Klauser a écrit :
> >
> > ifpps reports the NIC the cummulative stats since start of the system 
> > (i.e. the info from /proc/net/dev), so you'll probably also be seeing 
> > the stats from your previous attempts unless you reboot in between the 
> > trials (or for some NIC drivers reloading the driver module might have 
> > the same effect). 
> >
> > Cheers 
> > Tobias 
> >
> 
> Hello Tobias,
> 
> In my example I used the second columns of the csv output which corresponds 
> to "rx-bytes-per-t".
> 
> As far as I understand (I didn't check the source) it will be calculate 
> like:
> rx-bytes-per-t = n - n-1
> 
> where n is the value retrieved from /proc/net/dev and n-1 the previous 
> value retrieved (in my case t=1000 ms).
> 
> 
> So I don't understand why I need to reboot or reload the module for this 
> statistic (I get it if I was checking rx-bytes instead of rx-bytes-per-t 
> but I'm not).

Ah of course. Sorry, I wasn't reading your command careful enough.

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.