Troubleshooting guide
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands
Advanced Technical Reference Guide 4.1 • June 2000 9
fw ctl pstat
The following is an explanation of some typical output from the fw ctl pstat command, which generates
internal statistics. It prints detailed information about the hash kernel memory in use (controlled by the
parameter fwhmem) and the system kernel memory in use, including peak values of both.
Output
Hash kernel memory (hmem) statistics:
Total memory allocated: 4194304 bytes in 1023 4KB blocks using 1 pool
Total memory bytes used: 201600 unused: 3992704 (95%) peak: 205872
Total memory blocks used: 53 unused: 970 (94%)
Allocations: 61671 alloc, 0 failed alloc, 59509 free
Explanation A pool of 4194304 bytes was allocated by the VPN/FireWall module kernel for its internal
hash table items and other kernel data structures. 3992704 bytes are available in that
pool. There are 61671 allocation operations and 59509 free operations while none had to
be rejected due to memory exhaustion.
Output
System kernel memory (kmem) statistics:
System physical memory: 62857216 bytes
Available physical memory: 3072000 bytes
Total memory bytes used: 5615497 peak: 5712425
Allocations: 552 alloc, 0 failed alloc, 254 free, 0 failed free
Explanation The amount of system physical memory is 62857216 bytes while 3072000 bytes are
available for kernel allocation (note that this information is not display on all supported
platforms). 5615497 bytes of kernel memory are used by the Firewall kernel module
(including that hash memory) and the peak usage was 5712425 bytes.
Output
Inspct: 1853775 packets, 215915927 operations, 5098022 lookups,
241118 record, 94958150 extract
Explanation This information relates to the activity of the virtual machine. (The figures relate to virtual
machine operations, lookups and records in tables, and the number of packets
inspected).
Output
Cookies: 1972405 total, 411870 alloc, 411870 free, 30001 dup,
4344704 get, 120861 put, 2038056 len
Explanation FireWall-1 uses an abstract data type (cookie) to represent packets. These statistics
relate to the code that handle those cookies and is used only for heuristic tuning of the
code.
Output
Fragments: 142389 fragments, 0 expired, 24012 packets
Explanation FireWall-1 performs 'virtual reassembly' which means that it gathers all the fragments of a
packet before processing that packet. This statistics information tells us that the kernel
module has processed 142389 fragments and assembled them to 24012 packets while
non fragment were expired. Fragments expire when their packet fails to be reassembled
in a 20 seconds time frame or when due to memory exhaustion, they cannot be kept in
memory anymore.
Output Encryption: 39948 encryption, 38797 decryption, 22348 short, 0 failures.
Explanation This information relates to number of encrypted/decrypted packets encrypted by the
kernel). The 'short' element refers to the number of packets which were not encrypted due
to the fact that they had no data in them (they had only headers, and the fwz scheme
does not encrypt headers).
Output Translation: 245/1023021 forw, 222/829627 bckw, 467 tcpudp, 0 icmp, 36-31 alloc .
Explanation This information relates to address translation. 245 of the 1023021 packets, going in the
'forward' direction (forward – outgoing, backward - incoming), while 222 of the 829627
packets, going on the 'backward' direction, were translated. 467 of the translations were
of tcp/udp packets while no ICMP packet had to be translated. 36 tcp/udp port numbers
where dynamically allocated while 31 where de-allocated.