On Sun, Apr 09, 2006 at 04:28:58PM +0100, Gaby vanhegan wrote:
> On 9 Apr 2006, at 15:26, Stuart Henderson wrote:
>
> >>The thing with pflog is that I can't see which field (if any) is the
> >>packet size, which is what I'm interested in. I'm trying to log how
> >>much of which protocol eats what amount of my bandwidth, both inbound
> >>and outbound.
> >
> >Are the 'pfctl -sr -v' counters no use for you?
>
> These look very promising indeed. I'm guessing that this:
>
> > -s rules Show the currently loaded filter
> >rules. When used
> > together with -v, the per-rule
> >statistics (number
> > of evaluations, packets and bytes) are
> >also shown.
> > Note that the ``skip step''
> >optimization done au-
> > tomatically by the kernel will skip
> >evaluation of
> > rules where possible. Packets passed
> >statefully
> > are counted in the rule that created
> >the state
> > (even though the rule isn't evaluated
> >more than
> > once for the entire connection).
>
> Means that all the bytes are counted, even for stateful connections?
> So if the first x bytes of an HTTP connection create the state, and a
> further Y bytes of web page are transmitted over that connection,
> then the total bytes field will show X+Y, rather than just X?
Yes, though do note the point about skip rules.
Joachim
