Home page logo
/

tcpdump mailing list archives

Re: how to get total packets length by tcpdump
From: alex medvedev <alexm () pycckue org>
Date: Tue, 9 Mar 2004 11:50:16 -0600 (CST)

hi,

no, i didn't try to compare my results with any other programs.
i just wrote the regex as a quick approximation :)

assuming your dump file is filtered, this should be more precise:

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <pcap.h>


pcap_t *pd;
char errbuf[PCAP_ERRBUF_SIZE];
int total_packets = 0;
int total_length = 0;


void
countit( u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
        total_length += h->len;
        total_packets++;
}
void
sig(int signo)
{
        printf("total len = %d, total packets = %d\n", total_length,
total_packets);
}

int
main(int argc, char *argv[])
{
        int count;
        int linktype;
        char *ifname;
        bpf_u_int32 localnet, netmask;


        (void)signal(SIGINT, sig);
        pd = pcap_open_offline(argv[1], errbuf);
        if (! pd) {
                puts(errbuf);
                exit(1);
        }
        linktype = pcap_datalink(pd);
        printf("linktype %s\n", pcap_datalink_val_to_name(linktype));

        localnet = 0;
        netmask = 0;
        count = pcap_loop(pd, -1, countit, 0);
        if ( count < 0)
                puts(pcap_geterr(pd));

        printf("total len = %d, total packets = %d\n", total_length,
total_packets);

        return 0;
}

thanks,

-alexm
11:16 09/03/2004

On Tue, 9 Mar 2004 wcai () gmu edu wrote:

Hi, alex,
Did you try to compare your result with other program such as Ethereal?
I met difference.
My tcpdump command is similar to yours:
tcpdump -v -r host1.tcpdump | grep "len" | sed s/.*len// | cut -d ')' -f 1 | awk '{sum+=$1;print sum}' | tail -1

The host1.tcpdump file is the already dumped file with all tcp packets. The above command returned 713596 bytes, but 
when I use ethereal to get the summary, its 800697 bytes. And another software also showed 800697 bytes.

Where is the potential problem by using that tcpdump filter?

WC

----- Original Message -----
From: alex medvedev <alexm () pycckue org>
Date: Monday, March 8, 2004 6:56 pm
Subject: Re: [tcpdump-workers] how to get total packets length by tcpdump

hi,

this is a very rough regex and you may have to tweak it but it
worked for
me :)

# tcpdump -v -r tcpdump-raw.dump tcp | grep "length:" |grep -v
"^[^0-9]" | sed s/.*length:// | cut -d')' -f 1 | awk '{sum+=$1; print
sum}'

all in one line.
the last number is the answer.

-alexm
17:51 08/03/2004

On Mon, 8 Mar 2004 wcai () gmu edu wrote:

Greetings,

Is there any simple way to calculate the total length (in bytes)
of  all tcp packets in a tcpdump file? I mean, is it possible that
I can do this by adding some options to tcpdump?

WC

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-
request () tcpdump org?body=unsubscribe>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-
request () tcpdump org?body=unsubscribe




-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]