On Thu, Oct 26, 2006 at 10:59:14AM +0200, Christoph Kaegi wrote:
> 
> Hello List
> 
> Our 3.0 ipf Firewall handles several thousand users on a 40MBit/s 
> link to the internet.
> 
> Now we experience delays on internet connections and certain 
> applications (video conferencing) report packet loss.
> 
> How can I find out if and where packets are dropped on the firewall?
> (apart from netstat -di) 

Well, netstat -di can give a good hint already. But the wm driver
didn't properly report some inputs error, I fixed this recently in
current.
You can also look at netstat -q, to see if there are drops at a highter
level. If you see drops here you can try to bump IFQ_MAXLEN
to something larger than 256.

Also look at vmstat -m, especially for failed requests to mbpl and mclpl.
If there are failed requests you have to bump NMBCLUSTERS (you'll have to
if you bump IFQ_MAXLEN anyway, I think)

You may also want to install something like pkgsrc/net/mrtg, to
monitor traffic, in both byte count and packets counts (the script provided
in the above package does byte count, but it's trivial to change it to
do packets count too)

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--