IPFW show format question...

[Ian Smith]

On Tue, 6 Nov 2007 Eric F Crist <ecrist at secure-computing.net> wrote:
 > So, everything I've read says that ipfw show displays rule number,  
 > packets caught, bytes matched, and rule.  The problem I'm having is  
 > that it seems that the bytes, at least on some rules, is way out of  
 > whack.  I'm capturing this data for cacti, and trying to display  
 > accumulated ipfw traffic.
 > 
 > If I zero my counters and download a file via FTP, the downloaded  
 > sizes don't even compare.  61MB into the download, if I convert the  
 > ipfw show from the supposed bytes into MB, it says I've downloaded  
 > 155MB.

Catching up on a few days' digests, and seeing noone else having a go:

It helps to show rather than tell about your rules, but I'll guess that
you're not distinguishing between inbound and outbound traffic, ie your
rules are counting packets both on the way in (pass 1) and out (pass 2)

Eg allowing traffic using 'via' (qualified neither by 'in' nor 'out') 
allows (so, counts) a packet on both passes .. as may stateful rules.

Separate counts before allowing traffic can be best for accounting, eg

 add $n1 count ip from $outthere to $inhere in recv $some_if
 add $n2 count ip from $inhere to $outthere out xmit $some_if
 [..]
 add allow $whatever ..

HTH, Ian