Ethereal-users: Re: [Ethereal-users] total byte count difference for t/ethereal / NAIsniffer / t
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "gab.seun jones.ewulomi" <seun_ewulomi@xxxxxxxxxxx>
Date: Fri, 13 Feb 2004 12:04:01 +0000
Hi Guy,Thank you for explaining it really helped. I will go with what the NAI sniffer says.
To your question What type of bandwidth are you interested in?I am intrested in how much bandwidth a logon process takes on e.g on a 64KB leased line.
Users have been complaining that logon is quite slow. Have you got an approach on how to determine this? Regards, gab
From: Guy Harris <guy@xxxxxxxxxxxx> Reply-To: Ethereal user support <ethereal-users@xxxxxxxxxxxx> To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>Subject: Re: [Ethereal-users] total byte count difference for t/ethereal / NAIsniffer / tcpdumpDate: Thu, 12 Feb 2004 18:20:47 -0800 On Feb 11, 2004, at 10:14 AM, gab.seun jones.ewulomi wrote:1)i used tethereal/ethereal(same as the summary window i presume) to view the logon-app,trc file (output below and please correct me if I have misunderstood any part in my descriptions)frame frames:303 bytes:29884(Total payload+headers)tr frames:303 bytes:29884 llc frames:303 bytes:29884 ip frames:303 bytes:29884 tcp frames:303 bytes:29884data frames:214 bytes:24366 (total payload bytes)2)using NAI sniffer I got 31096 bytes in total when you click on the statistics tab on NAI sniffer.31096-29884 = 1212 = 303*4.The Sniffer is probably counting the 4 bytes of FCS at the end of the packet. I don't know whether DOS Sniffer Token Ring capture files include a CRC for all frames - I don't think I've seen an FCS in any DOS Sniffer captures - but, even if it doesn't, the Sniffer might, when calculating those statistics, count the FCS.Ethereal doesn't, as the FCS isn't actually in the capture.3)using tcpdump12:38:40.760392 snap ip 10.101.2.161.3459 > 11.134.32.61.ica: P [tcp sum ok] 98260575:98260602(27) ack 3072908457 win 8458 (DF) (ttl 32, id 2330, len 67)My understanding is (27) - is the payload in byteslen 67 - is total bytes payload+headers (I think this only adds the tcp and ip headers)It's the "total length" from the IP header; it includes the IP header, the TCP header, and the TCP payload, but *NOT* any link-layer headers.I then used a script using a combination of awk and sed to format and grab the columns with the total byte lengths for each frame e.g (len 67) for both src and dst e.gtcpdump -r logon-app-trc.cap src <ip> -vvv tcpdump -r logon-app-trc.cap dst <ip> -vvv and then added them all together and it gave me 23218 bytes in total 23218 bytes29884-23218 = 6666 = 22*303.A minimum Token Ring header is 14 bytes (with no source-routing), an 802.2 LLC header is 3 bytes, and a SNAP header is 5 bytes, so that's 14+3+5 = 22.Now judging by what I want done which is to determine the amount of bandwidth consumed on logon which of this is giving me a true picture in which I can use in my bandwidth calculation.What type of bandwidth are you interested in?If you're curious how heavily the network on which you're capturing is being used, the Sniffer's answer is probably closest to the right answer, as the FCS *is* being transmitted.The "total payload bytes" doesn't count packets with no payload, e.g. ACK-only segments. 29884-24366 = 5518; 303-214 - 89, and 89*62 = 5518, so the no-payload packets appear to be 62 bytes long. 22 bytes of Token Ring header, 20 bytes of IP header, and 20 bytes of TCP header add up to 62 bytes. Those packets *are* transmitted, so they do take up bandwidth on the network.Similarly, the Token Ring headers are transmitted. _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
_________________________________________________________________Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger
- Prev by Date: Re: [Ethereal-users] total byte count difference for t/ethereal / NAI sniffer / tcpdump
- Next by Date: [Ethereal-users] diplay filter for rtp.payload with 100% silence
- Previous by thread: [Ethereal-users] Re: Ethereal-users Digest, Vol 10, Issue 14 (Out of Office)
- Next by thread: [Ethereal-users] "A Required .DLL file, MPRAPI.DLL, was not found."
- Index(es):