# Is it possible to zero netstat -i ?



## Nicola Mingotti (Jul 28, 2018)

Hi, 

as the title says, it would be practical for me to be able to zero
the byte counter I can read from `netstat -i -b -h`. 

Do you know if this is at all possible ? 

bye
Nicola


----------



## ShelLuser (Jul 28, 2018)

I doubt it (though I'm not 100% sure) because this is basically a statistic logged by the kernel itself. What you could do though is use the statistics which your firewall keeps, those can usually be reset without a problem.

For example:


```
root@zefiris:/home/peter # pfctl -s info | head
Status: Enabled for 5 days 14:56:14           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                      5223542432                0
  Bytes Out                     5240258559                0
  Packets In
    Passed                         6391039                0
    Blocked                            542                0
  Packets Out
    Passed                         6498998                0
```
If I were to use `# pfctl -F info` I'd reset these counters.


----------



## Nicola Mingotti (Jul 30, 2018)

ShelLuser , thak you for suggestion to use `pf`, but
in my system `pfctl  -s info | head` i get 


```
Status: Enabled for 0 days 01:34:57           Debug: Urgent

State Table                          Total             Rate
  current entries                       16               
  searches                           49118            8.6/s
  inserts                              212            0.0/s
  removals                             196            0.0/s
Counters
  match                               1552            0.3/s
  bad-offset                             0            0.0/s
```

Probably you put someting in "pf.conf" to get the data about interfaces.

Anyhow, i am using now `pfctl -s labels -z`, after
setting the appropriate labels in pf.conf and I get even more than what 
i wanted to check


----------



## ShelLuser (Jul 30, 2018)

Nicola Mingotti said:


> ShelLuser , thak you for suggestion to use `pf`, but
> in my system `pfctl  -s info | head` i get


Yeah, maybe I wasn't clear enough.

FreeBSD provides you with 3 different firewalls: IPFW, IPF and PF. I don't have hands on experience with IPFW but I do with the others and both of them could keep a log of traffic which passed through. But the way they do that obviously differs per firewall.

What I showed you above wasn't a tip to start using pfctl(8); it was a tip to look into whatever firewall you're currently using and then enable its logging / statistical capabilities.

If you do wish to use PF for this then you'll need to set loginterface in /etc/pf.conf. See also pf.conf(5) (I strongly suggest that you check the PF documentation because unlike other firewalls it's very picky with the order in which you add rules and settings to the configuration file).

But as I said: I'm sure other firewalls support this aspect too.


----------



## Nicola Mingotti (Jul 30, 2018)

My fault, i read very fast and focused on your command.

But your tip passed, I will use a firewall.
Bye


----------



## alexseitsinger (Jul 30, 2018)

I would second the suggestion to use PF. It's a well-built firewall that's easy to use. You can find a lot of documentation on it on the internet as well. I would also suggest reading "The Book of PF" if you have the chance. It sheds some light on the various configurations possible with it.


----------



## Nicola Mingotti (Jul 30, 2018)

yes, yes, sure alexseitsinger , i a have quite many hours of head baging against "pf" and not more than 20 hours against "ipfw". I like both. "The Book of PF" is good because it stresses differences between pf in different *BSD, i own a copy and red it on spots.

The point is what is wanted to do was so easy i thought i could bypass the firewall.

The reasons for it were :
1] I did not remember on the spot how to do the logging with pf  (i studied quite well pf about 1.5 years ago,  in OpenBSD 6.0, but with time knowledge faded out)

2] possibly i would not modify "pf.conf" of well tested servers

But, i "discoveder" i already put labels in pf.conf of the server i wanted the stats of.
==> Logging became a trivial business, without changing the pf.conf.


----------

