tcpdump mailing list archives
Re: how to get total packets length by tcpdump
From: alex medvedev <alexm () pycckue org>
Date: Tue, 9 Mar 2004 11:50:16 -0600 (CST)
hi, no, i didn't try to compare my results with any other programs. i just wrote the regex as a quick approximation :) assuming your dump file is filtered, this should be more precise: #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <pcap.h> pcap_t *pd; char errbuf[PCAP_ERRBUF_SIZE]; int total_packets = 0; int total_length = 0; void countit( u_char *user, const struct pcap_pkthdr *h, const u_char *sp) { total_length += h->len; total_packets++; } void sig(int signo) { printf("total len = %d, total packets = %d\n", total_length, total_packets); } int main(int argc, char *argv[]) { int count; int linktype; char *ifname; bpf_u_int32 localnet, netmask; (void)signal(SIGINT, sig); pd = pcap_open_offline(argv[1], errbuf); if (! pd) { puts(errbuf); exit(1); } linktype = pcap_datalink(pd); printf("linktype %s\n", pcap_datalink_val_to_name(linktype)); localnet = 0; netmask = 0; count = pcap_loop(pd, -1, countit, 0); if ( count < 0) puts(pcap_geterr(pd)); printf("total len = %d, total packets = %d\n", total_length, total_packets); return 0; } thanks, -alexm 11:16 09/03/2004 On Tue, 9 Mar 2004 wcai () gmu edu wrote:
Hi, alex, Did you try to compare your result with other program such as Ethereal? I met difference. My tcpdump command is similar to yours: tcpdump -v -r host1.tcpdump | grep "len" | sed s/.*len// | cut -d ')' -f 1 | awk '{sum+=$1;print sum}' | tail -1 The host1.tcpdump file is the already dumped file with all tcp packets. The above command returned 713596 bytes, but when I use ethereal to get the summary, its 800697 bytes. And another software also showed 800697 bytes. Where is the potential problem by using that tcpdump filter? WC ----- Original Message ----- From: alex medvedev <alexm () pycckue org> Date: Monday, March 8, 2004 6:56 pm Subject: Re: [tcpdump-workers] how to get total packets length by tcpdumphi, this is a very rough regex and you may have to tweak it but it worked for me :) # tcpdump -v -r tcpdump-raw.dump tcp | grep "length:" |grep -v "^[^0-9]" | sed s/.*length:// | cut -d')' -f 1 | awk '{sum+=$1; print sum}' all in one line. the last number is the answer. -alexm 17:51 08/03/2004 On Mon, 8 Mar 2004 wcai () gmu edu wrote:Greetings, Is there any simple way to calculate the total length (in bytes)of all tcp packets in a tcpdump file? I mean, is it possible that I can do this by adding some options to tcpdump?WC - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers- request () tcpdump org?body=unsubscribe
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- how to get total packets length by tcpdump wcai (Mar 08)
- Re: how to get total packets length by tcpdump Christian Kreibich (Mar 08)
- Re: how to get total packets length by tcpdump Bruce M Simpson (Mar 08)
- Re: how to get total packets length by tcpdump alex medvedev (Mar 08)
- <Possible follow-ups>
- Re: how to get total packets length by tcpdump wcai (Mar 09)
- Re: how to get total packets length by tcpdump Christian Kreibich (Mar 09)
- Re: how to get total packets length by tcpdump alex medvedev (Mar 09)
- Re: how to get total packets length by tcpdump George Bakos (Mar 09)
- Re: how to get total packets length by tcpdump Christian Kreibich (Mar 08)