Hi Folks,
I'm using tethereal to analyse some largeish dumps of a mixed
IPX and IP site (with some NCP over IP).
When I run:
tethereal -r data.dmp -R "not frame" -z io,phs > summary.txt
I get counts for IP and IPX frames and bytes.
I further analyse the IPX traffic in various ways based on the
results of a
tethereal -r data.dmp -R "not frame" -z conv,ipx | sort -r -n -k 9
Essentially all of the IPX traffic counted in the first command is
present in the conversations listed in the second.
However when I run:
tethereal -r data.dmp -R "not frame" -z conv,ip | sort -r -n -k 9
only about 20% of the total IP byte count listed with "io/phs" is
listed in the conversations listed with "conv,ip". The volume of
data is too small to be sure, but I think the NCP part of the
conversations are not being included in the "conv,ip" counts.
Can anyone clarify how I can identify the missing 80% of the IP
traffic?
Cheers, Dieter.