tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Traffic Accounting - How to do?

From: Guy Harris <gharris () sonic net>
Date: Tue, 14 Jan 2003 08:31:51 -0800
On Tue, Jan 14, 2003 at 09:55:13AM +0100, Schwarz Hans-Juergen wrote:

IP and ports are clear so far, but what is the produced traffic of each 
paket? I assume it is the value after "len" is it?


"len", in that output, is the length value from the IP header.  That
value includes the IP header and the TCP header, as well as the payload;
it includes traffic in both directions, including ACKs (which have about
40 bytes, but no data).

So the value after "len" is *NOT* the length of the TCP or UDP payload
of the packet; it's the total amount of data in the packet, minus the
link-layer header and trailer, including IP and TCP/UDP headers.


I'm not shure of it 
because when I transfer a file with 3,5 MB over ftp and count the "len" 
Output from tcpdump divide to 8/1024/1024 I got about 7,5 MB of 
traffic.


Note that the output above includes non-FTP traffic; your tcpdump output
might include that as well.


So my questions is how to get the correct traffic count out of
tcpdump.


Unfortunately, there's no way to get the payload length printed without
changing the source code.  There might be other tools that can read a
tcpdump capture file, as written with the "-w" flag, and report
information such as that; for example, Tethereal (which comes with
Ethereal:

        http://www.ethereal.com/

) will print, when run without the "-V" flag, output such as

  47   7.424771    192.9.5.5 -> 209.204.185.65 FTP-DATA FTP Data: 514 bytes

for the FTP data packets (it considers a packet to or from TCP port 20
as an FTP data packet).

Perhaps tcpdump should also print TCP port 21 traffic as FTP control
traffic, showing the commands and responses as text, and print TCP port
20 traffic as FTP data traffic, reporting the number of bytes of
payload in the packet.

(While we're at it, perhaps it should try to handle port 80 and 8080
traffic as HTTP, reporting commands and responses, and data lengths.)

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: