Packet filter statistics

Norm Vilmer norm at etherealconsulting.com
Thu Sep 9 08:00:36 PDT 2004 

Steve Bertrand wrote:

>>Steve Bertrand wrote:
>>
>>>Please bear with me...
>>>
>>>I've got a Windows 2000 web server that is spewing out over 2Mbps of
>>>data which is going out round robin over my 3 T-1 connections.
>>>Although there is still more throughput available, this is seemingly
>>>rediculous.
>>>
>>>I've got a fortigate box in front of the server now, but the details
>>>it gives aren't quite what I need. What I'd like to have is a FBSD
>>>filter (transparent bridge) setup in front of the box, with software
>>>that can chart for me what type of packets are being sent/rec'd
>>>to/from this box, as well as each packets frequency and size. Any
>>>graph would do.
>>>
>>>I believe this is legit HTTP traffic, but I can't identify packet
>>>size
>>>(or the size of a single entire HTTP session etc). Seeing this in
>>>graphical form would help me immensely.
>>>
>>>Anyone familiar with available software that I could dump on my
>>>filter
>>>box that can potentially do something similar like I am looking for?
>>>
>>>I was contemplating on asking this on -ipfw, however technically
>>>it's
>>>not a direct IPFW question.
>>>
>>>Tks everyone for any suggestions.
>>>
>>>Steve
>>>
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>>You may want to check out Ethereal (free packet sniffer)
>>www.ethereal.com. I have used this successfully on FreeBSD. Also,
>>FreeBSD has a program called tcpdump that will show packets without
>>the
>>added bells and whistles of Ethereal. One note: if you are using level
>>2
>>or higher switches, the sniffer will not pickup all the traffic coming
>>out of your Win2k box unless you configure a management port on your
>>switch or use a hub with both the sniffer box and the server connected
>>to it.
>>
>>Alternatively, you may be able to run Ethereal on you Win2k box....
>>
>>Hope this helps.
>>
>>Norm
> 
> 
> OFF-LIST.
> 
> I just noticed your email address...I have used ethereal only in
> traditional sniffing environments, to identify who's doing what.
> 
> However, you probably know better than I if it measures bytes
> send/received by IP, protocol, port etc. The box in use as I said will
> be in-line. Also, will ethereal run without X? It's a command line
> only box.
> 
> Tks again,
> 
> Steve
> 
> 
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
> 
> 
> 
> 
My email domain is just a strange coincidence, I am not associated with 
the people at ethereal.com, just like the product (and name :)

You do not need X, use "tethereal", it is a command line program.

With regards to inserting the box inline, It should be possible, I have 
not been successful at doing it (yet). I am trying to build a NIPS which 
I would like to put inline between my ISP and my wireless router. I am 
using ipfw, If I get it to work, I will let you know.

Norm

More information about the freebsd-questions mailing list