data sent/received from interface with netstat -i -b

[krskrs]

Hi, this is my first post here.. After searching on the net and using man with no results, I decided to ask for your help.

All started when looking at the Total Fields of ifstat -ifs I noticed that the received data was much higher than the number measured by our ISP in their control panel. The out field on the contrary seems to match.

It's like there is a lot of incoming data not measured by the ISP (something like traffic on the LAN?)

However, trying to investigate the problem, I tried:

netstat -I bce0 -nbh

Name    Mtu Network       Address              Ipkts Ierrs     Ibytes    Opkts Oerrs     Obytes  Coll
bce0   1500 <Link#1>      xx:ac:6f:xx:94:ef     648M  444K       1.3T     1.6G     0       2.3T     0
bce0   1500 xxx.yyy.243.1 xxx.yyy.243.162       648M     -        27G     1.6G     -       2.3T     -

and so far I haven't been able to understand what the second line exactly measures. It looks like it corresponds to the traffic measured in the ISP control panel, but is it the traffic directed to the public IP of the server? But in this case where has the 1.3TERABYTE (!) come from? I'd really like to understand in details.

Can you please help me (or provide some links where I could find more details on this subject)?

This is bce0:

bce0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM>
        ether b8:ac:6f:7d:94:ef
        inet xxx.yyy.243.162 netmask 0xfffffff8 broadcast xxx.yyy.243.167
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

Thanks,
Francesco

 

[quintessence]

Hello,

The second row from your output shows the traffic on your ethernet interface.
link#1 is your 1st ethernet card on the machine.

So, this is the row you have to look at when you measure the whole traffic on the interface. Not only "local".

I.e:
first row indicated interface traffic on the "local" network for your ISP, not your real internet traffic. I mean this is the traffic in the network xxx.yyy.243.160/29 subnet, which is "local" for your provider.

Second line indicated your internet traffic.

 

[krskrs]

Hi quintessence, first of all, thank you! For your time and explanation. All you wrote is clear and makes perfectly sense.

In fact now I understand why the bytes sent match on the two lines, while the bytes received don't. (the output sent from the network card is the output sent from my IP, while the network card is receiving more bytes than those directed to the specific IP address which the second line refers to).

However, there is one thing that is not yet clear. 1.3TB received by the NIC is a lot of traffic (at present it reached 5.0TB received by the NIC and 110GB by the IP). Shouldn't the NIC only "intercept" traffic sent to its MAC address? Or broadcast traffic, but it seems too much anyway. (NIC doesn't run in promiscuous mode, although when I copied the result from ifconfig, it was). Moreover, you have to consider that this server has the xxx.yyy.243.0/29 subnet reserved for it. xxx.yyy.243.1 is the gateway .2 .3 .4 .5 are public ips usable by us, .6 is reserverd for IPMI. So what might all this incoming traffic be? I also think the ISP should have isolated our subnet from traffic directed to other dedicated servers.

I also tried to intercept this traffic with tcpdump by using:

tcpdump -e -n -c 1000 not ether dst GATEWAY_MAC_ADDR and not ether dst MY_NIC_MAC_ADDR

but I only get some sporadic ARP traffic, or something like: 802.3, length 2026: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward] , but nothing which could led to Terabytes in a couple of days.

Thank you again,
Francesco

 

[krskrs]

QUICK UPDATE (and probably solved)

By looking at the number of inbound packets on both lines in netstat, I realized they were the same. This led me to:

http://freebsd.1045724.n5.nabble.co...frames-as-2026-bytes-in-length-td4021397.html

where I found out there is a sort of bug with the packet size at the interface level. And on that box we're actually using freebsd FreeBSD 7.2



Thank you again

 

[quintessence]

Hello,

No, this is not a bug, this is one big feature presented in this operating system

Currently you don't see any other traffic, because your subnet may not generate in the moment. But in the last days, there were a traffic generated between your hosts in your network/subnet you use.

1.3TB is actually nothing as sum.

If in the past days you transferred between your server 1 and your server 2 2-3 ISO images for example, here is where the traffic 1.3TB comes from.

Usually, internet providers calculate network bandwidth from the switch (layer 2 or layer 3).
So the correct way to calculate your bandwidth of all of your hosts is direct monitoring of your uplink, where they actually reports to you statistics.
So, you may generate 100TB traffic between you hosts in your subnet with the maximum bandwidth speed (let say 50Mb/s for example) which is set to you, and you may generate 25MB to the rest of the world with some small bandwidth (let say 25Kb/s). The final stats as bandwidth speed shown on your uplink will be 50 Mb/s upper limit (where you generated in time X between your server 1 and server 2) instead of 25Kb/s.

About traffic calculation, usually when your service is traffic limited, this 100TB "local" traffic from the example between your server 1 and your server 2, will not be calculated as "internet" traffic, because it is your local network.