tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to get total packets length by tcpdump

From: Christian Kreibich <christian () whoop org>
Date: Tue, 09 Mar 2004 17:46:52 +0000
On Tue, 2004-03-09 at 17:11, wcai () gmu edu wrote:

Hi, alex,
Did you try to compare your result with other program such as Ethereal?
I met difference.
My tcpdump command is similar to yours:
tcpdump -v -r host1.tcpdump | grep "len" | sed s/.*len// | cut -d ')' -f 1 | awk '{sum+=$1;print sum}' | tail -1

The host1.tcpdump file is the already dumped file with all tcp packets. The above command returned 713596 bytes, but 
when I use ethereal to get the summary, its 800697 bytes. And another software also showed 800697 bytes.

Where is the potential problem by using that tcpdump filter?


Maybe some tools include link-layer bytes (e.g., 14 bytes for ethernet)
in the calculation, while others look only at IP + above? The shell
magic above uses the length provided in the IP header.

Regards,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: