Subject: Re: Resetting ip, icmp etc statistics
To: Steven M. Bellovin <>
From: None <>
List: tech-net
Date: 03/31/2006 18:43:10
In message <>,
"Steven M. Bellovin" writes:

>On Fri, 31 Mar 2006 17:55:06 -0800, wrote:
>> And some folks find it objectionable. Next point?
>Let's look at it another way.  People want the ability to issue some
>command at a certain point in time, then see what the deltas are in
>counters since that point.  They also want to do it without installing
>things like snmp agents, partly because of complexity and partly
>because they (like I) may run some network tests in single-user mode.
>>From that perspective, either zeroing the counters or checkpointing
>them is reasonable.  In general, I'm of the "give them enough rope"
>school of thought, but since checkpointing is strictly more powerful at
>only a slight increase in complexity (the need to specify an extra
>option when querying) it's probably the right solution.


I'm truly astonished if that needed to be spelled out so bluntly:
surely it was obvious in context?  But (since you took the time):
thank you for expounding it so well --- even in a forum where the
exposition *should* be superfluous.

And for those who handwaved about counter overflow: we use 64-bit
counters.  A 1.0Gbit/sec ethernet link sustains at most 123,000,000
bytes/sec. So a 1GbE link will therefore increment our 64-bit byte
counter by just under 1^27 per second.  so we have roughly 2^37
seconds before overflow. ^At 86,400 sec/day, a giga-second is rounghy
11,574 days, call it 31 years.  So in very rough terms, a 64-bit
counter on a gigabit link will overflow in roughly 128 gigaseconds, or
(very roughly) four thousand years?  Hmmm, GDB says 123ULL * 1000 *
1000 will exceed (1ULL << 63) in 2,377 years. Close enough, seeing we
get all (2^64)-1) values.