tcpdump mailing list archives
difference (in sequence number and ACK )in filtering and without filtering by tcpdump
From: "hossein talebi" <talebihossain () gmail com>
Date: Mon, 10 Nov 2008 23:06:41 +0330
Hi i run tcpdump while file(with 4MB size almost) is downloading with follow filter: *"tcpdump -w pcapfile1 'tcp and host <MY IP ADDRESS>' "* then i apply filtering on pcapfile1: *"tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-fin|tcp-rst)!=0 ' "* then i pcapfile1 and pcapfile2 convert to text: for pcapfile1: 23:37:40.964795 IP 203.7.155.13.80 > 192.168.10.152.3272: FP* 5648:6122*(474) ack *1* win 6432 23:37:40.965647 IP 192.168.10.152.3272 > 203.7.155.13.80: F 1:1(0) ack *6123 * win 65061 23:37:41.225769 IP 192.168.10.152.3255 > 203.7.155.13.80: R* 0:0*(0) ack 7061 win 0 23:37:41.384564 IP 203.7.155.13.80 > 192.168.10.152.3271: FP *14120:14464*(344) ack *1* win 6432 and for pcapfile2: 23:37:40.964795 IP 203.7.155.13.80 > 192.168.10.152.3272: FP * 3080144641:3080145115*(474) ack* 3914951651* win 6432 23:37:40.965647 IP 192.168.10.152.3272 > 203.7.155.13.80: F 1:1(0) ack *475*win 65061 23:37:41.225769 IP 192.168.10.152.3255 > 203.7.155.13.80: R * 2505681888:2505681888*(0) ack *2821716423* win 0 23:37:41.384564 IP 203.7.155.13.80 > 192.168.10.152.3271: FP * 3077225966:3077226310*(344) ack *2000231756* win 6432 what is reason upon differences? upon differences cause accurate size of dowloaded file to be wrong because: i measured size of data by Bro version :1.2.1 but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB) i want measure accurate size of data from SYN FIN RST packet headers how to do this work? how to solve this problem? is this problem a bug in tcpdump? please help me thanks -- Talebi Mazraeh Shahi Hossein - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- difference (in sequence number and ACK )in filtering and without filtering by tcpdump hossein talebi (Nov 10)