Reliable traffic counter?
-
Hi,
I have installed vnstat, and am using it (with the pppoe interfache - /usr/local/bin/vnstat -i pppoe0; /usr/local/bin/vnstat -i pppoe0 -h) to mail me daily how much traffic has been passing through pfSense to the internet.
E.g., yesterday's stats look like this:
daily rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- yesterday 12.36 GiB | 12.03 GiB | 24.39 GiB | 2.37 Mbit/s today 0 KiB | 0 KiB | 0 KiB | n/a ------------------------+-------------+-------------+--------------- estimated -- | -- | -- | WAN (pppoe0) 00:00 ^ t | t rt rt | t rt rt | t rt rt | t rt rt | r t rt rt | r t rt rt | r t rt rt | r r t rt rt | r r t r rt rt -+---------------------------------------------------------------------------> | 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 00 h rx (MiB) tx (MiB) h rx (MiB) tx (MiB) h rx (MiB) tx (MiB) 01 70.53 3.28 09 883.57 20.65 17 539.69 17.34 02 64.65 3.09 10 2209.76 30.44 18 3679.58 4034.35 03 63.88 3.66 11 176.09 11.30 19 89.65 9.84 04 68.61 3.21 12 345.99 4006.40 20 23.42 3.50 05 62.06 3.09 13 71.72 8.88 21 3739.54 4078.76 06 71.78 9.07 14 8.80 15.37 22 17.34 7.20 07 105.68 12.02 15 11.46 9.15 23 8.17 2.81 08 243.41 10.99 16 26.23 11.15 00 0.00 0.00
These figures are, by the way, consistent to what pfSense shows me unter Statistics -> Traffic totals.
However, as these figures appeared to be surprisingly high to me, I've been running tcpdump on a permanent basis to understand what's going on. tcpdump creates pcaps per hour, called via cron:
0 */1 * * * root /sbin/mount <ip>: <nfs-share>/var/storage && /usr/sbin/tcpdump -G 3600 -W 1 -i pppoe0 -s 65535 -w /var/storage/pfsensedump\%y\%m\%d_\%H\%M.pcap</nfs-share></ip>
Now, interestingly, for some hours the pcaps are in line with vnstat statistics (e.g., the pcap created from 10 to 11 is 2.23 GB in size), whereas for other times, there is a huge discrepancy (e.g., the pcap created from 18 until 19 is not 7.8 GB in size, but just 1.26 GB). Judging from my time before pfSense, the aggregate size of the pcaps appears to reflect my actual traffic much more realistically than what pfSense shows elsewhere.
Am I misreading the stats, or doing something wrong in using them? What's a reliable way to get figures for the actual internet traffic my system has been generating (other than looking at the size of the pcap files…)?
Thanks!
-
Does nobody have an idea why the vnstat values are quite far off the actual traffic passing through the system?