> I'm viewing some captured traffic (from a very simple session - wget
> transferring a few files over HTTP), and I find the packet/byte count
> information confusing.
>
> Going to Statistics->Summary gives me a count that sounds reasonable
> (831 packets, 351,829 bytes).
>
> But, going to Statistics->Conversations (TCP tab) I see
> strange things:
>
> A is the client running wget to download 5 files of 50KB each.
> B is the webserver
>
> I see just one TCP conversation of 13856 bytes transferred
> from B to A.
>
> The IPv4 tab shows only 144 bytes transferred from B to A, and 13712
> bytes transferred from A to B!
>
> So, even though I tranferred 250KB+, the recognized TCP/IP
> conversations
> only account for ~14KB.
>
> What am I doing wrong here? The capture in question is at
> http://members.hellug.gr/apapadop/ethereal/dump4.pcap in case
> it helps.
Hi,
Statistics->Summary takes information from basic capture data; the data file has one record
per packet, and it stores there the length -real and captured-, packet number, etc.
Statistics->Conversations, on the other hand, relies on information generated by the dissectors
when analyzing the packets. It is the TCP dissector who must report it has found a packet
that belongs to a conversation, and its data. So, if the dissector does not finish properly,
conversation data is not updated. In your case, it looks like the capture was stopped at
96 bytes per packet; that means that for longer packets the HTTP dissector will throw an
exception -because it will try to look for data that is not in the capture- which will
escalate back into the upper dissectors -TCP, IP, etc.-. They will not finish their work,
so conversation data will not be recorded.
So, the data you see in the conversation list include only information from packets that
are shorter than 97 bytes; but the summary will include every packet in the file -which
means not only the HTTP gets, but also an additional conversation that is not HTTP-.
Regards,
Francisco