Ethereal-users: Re: [Ethereal-users] total byte count difference for t/ethereal / NAI sniffer /

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 12 Feb 2004 18:20:47 -0800

On Feb 11, 2004, at 10:14 AM, gab.seun jones.ewulomi wrote:
1)i used tethereal/ethereal(same as the summary window i presume) to view the logon-app,trc file (output below and please correct me if I have misunderstood any part in my descriptions)
frame frames:303 bytes:29884(Total payload+headers) 
 tr                                     frames:303 bytes:29884
   llc                                  frames:303 bytes:29884
     ip                                 frames:303 bytes:29884
       tcp                              frames:303 bytes:29884
data frames:214 bytes:24366 (total payload bytes)
2)using NAI sniffer I got 31096 bytes in total when you click on the statistics tab on NAI sniffer. 

31096-29884 = 1212 = 303*4.
The Sniffer is probably counting the 4 bytes of FCS at the end of the packet. I don't know whether DOS Sniffer Token Ring capture files include a CRC for all frames - I don't think I've seen an FCS in any DOS Sniffer captures - but, even if it doesn't, the Sniffer might, when calculating those statistics, count the FCS. 

Ethereal doesn't, as the FCS isn't actually in the capture.


3)using tcpdump
12:38:40.760392 snap ip 10.101.2.161.3459 > 11.134.32.61.ica: P [tcp sum ok] 98260575:98260602(27) ack 3072908457 win 8458 (DF) (ttl 32, id 2330, len 67) 

My understanding is

(27) - is the payload in bytes
len 67 - is total bytes payload+headers (I think this only adds the tcp and ip headers)
It's the "total length" from the IP header; it includes the IP header, the TCP header, and the TCP payload, but *NOT* any link-layer headers.
I then used a script using a combination of awk and sed to format and grab the columns with the total byte lengths for each frame e.g (len 67) for both src and dst e.g 

tcpdump -r logon-app-trc.cap src <ip>  -vvv
tcpdump -r logon-app-trc.cap dst <ip> -vvv

and then added them all together and it gave me
23218 bytes in total

23218 bytes


29884-23218 = 6666 = 22*303.
A minimum Token Ring header is 14 bytes (with no source-routing), an 802.2 LLC header is 3 bytes, and a SNAP header is 5 bytes, so that's 14+3+5 = 22.
Now judging by what I want done which is to determine the amount of bandwidth consumed on logon which of this is giving me a true picture in which I can use in my bandwidth calculation. 

What type of bandwidth are you interested in?
If you're curious how heavily the network on which you're capturing is being used, the Sniffer's answer is probably closest to the right answer, as the FCS *is* being transmitted.
The "total payload bytes" doesn't count packets with no payload, e.g. ACK-only segments. 29884-24366 = 5518; 303-214 - 89, and 89*62 = 5518, so the no-payload packets appear to be 62 bytes long. 22 bytes of Token Ring header, 20 bytes of IP header, and 20 bytes of TCP header add up to 62 bytes. Those packets *are* transmitted, so they do take up bandwidth on the network. 

Similarly, the Token Ring headers are transmitted.