[squid-users] Data usage reported in log files

[Antony Stone]

On Friday 10 March 2017 at 20:14:36, Yosi Greenfield wrote:

> Hello all,
> 
> I'm analyzing my squid logs with sarg, and I see that the number of
> bytes reported as used by any particular user are often nowhere
> near the bytes reported by netflow and tcpdump.

Which is larger?

> I'm trying to trace my users' data usage by site, but I'm unable to
> do so from the log files because of this.

Well, what is it you really want to know?

netflow / tcpdump will give you accurate numbers for the quantity of data on 
your Internet link - I assume this is what you're most interested in?

Squid will show you what quantity of data goes to/from the clients, but is 
that really important?

> Can someone please explain to me what I might be missing? Why does
> squid log report one thing and netflow and tcpdump show something
> else?

Data compression?

HTTP responses are often gzipped, so if tcpdump is showing you smaller numbers 
of bytes than Squid reports, that's what I'd look at first.


Antony.

-- 
This sentence contains exacly three erors.

                                                   Please reply to the list;
                                                         please *don't* CC me.