Wireshark-users: Re: [Wireshark-users] How much overhead does a Wireshark capture file contain ?

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Thu, 11 Feb 2010 10:26:30 -0500
Henry Meleg wrote:
So I need to measure the traffic in bytes between two endpoints. If I
set up Wireshark on a laptop whose interface is enabled for promiscuous
mode and specify a capture filter between the source and destination IP
addresses that I am interested in and capture to a file then will that
file size be an accurate reflection of the traffic between the two
endpoint.
Does Wireshark add any overhead to the capture file that I need to take
into account by subtracting it from the captured file size to get a
accurate traffic figure which I require to set up bandwidth management
filters.
Can anybody help ?

May I suggest using capinfos (a Wireshark tool) to get information about the capture file.

Example output from capinfos

File name:           [...]
File type:           NA Sniffer (Windows) 2.00x
File encapsulation:  Ethernet
Number of packets:   27796
File size:           3979202 bytes
Data size:           2867234 bytes
Capture duration:    55732 seconds
Start time:          Mon Nov 17 11:10:59 2003
End time:            Tue Nov 18 02:39:50 2003
Data byte rate:      51.45 bytes/sec
Data bit rate:       411.58 bits/sec
Average packet size: 103.15 bytes
Average packet rate: 0.50 packets/sec
SHA1:                042a82ca1d53abbfebff210d9a1eb7121bd531b2
RIPEMD160:           444e0a11404e2424d51ab3c915d9c684b06b721a
MD5:                 b044be576c4206885a4165eae3264d29


See the capinfos man page....