Ethereal-users: Re: [Ethereal-users] total byte count difference for t/ethereal / NAI sniffer /
On Feb 11, 2004, at 10:14 AM, gab.seun jones.ewulomi wrote:
1)i used tethereal/ethereal(same as the summary window i presume) to
view the logon-app,trc file (output below and please correct me if I
have misunderstood any part in my descriptions)
frame frames:303 bytes:29884(Total
payload+headers)
tr frames:303 bytes:29884
llc frames:303 bytes:29884
ip frames:303 bytes:29884
tcp frames:303 bytes:29884
data frames:214 bytes:24366 (total
payload bytes)
2)using NAI sniffer I got 31096 bytes in total when you click on the
statistics tab on NAI sniffer.
31096-29884 = 1212 = 303*4.
The Sniffer is probably counting the 4 bytes of FCS at the end of the
packet. I don't know whether DOS Sniffer Token Ring capture files
include a CRC for all frames - I don't think I've seen an FCS in any
DOS Sniffer captures - but, even if it doesn't, the Sniffer might, when
calculating those statistics, count the FCS.
Ethereal doesn't, as the FCS isn't actually in the capture.
3)using tcpdump
12:38:40.760392 snap ip 10.101.2.161.3459 > 11.134.32.61.ica: P [tcp
sum ok] 98260575:98260602(27) ack 3072908457 win 8458 (DF) (ttl 32, id
2330, len 67)
My understanding is
(27) - is the payload in bytes
len 67 - is total bytes payload+headers (I think this only adds the
tcp and ip headers)
It's the "total length" from the IP header; it includes the IP header,
the TCP header, and the TCP payload, but *NOT* any link-layer headers.
I then used a script using a combination of awk and sed to format and
grab the columns with the total byte lengths for each frame e.g (len
67) for both src and dst e.g
tcpdump -r logon-app-trc.cap src <ip> -vvv
tcpdump -r logon-app-trc.cap dst <ip> -vvv
and then added them all together and it gave me
23218 bytes in total
23218 bytes
29884-23218 = 6666 = 22*303.
A minimum Token Ring header is 14 bytes (with no source-routing), an
802.2 LLC header is 3 bytes, and a SNAP header is 5 bytes, so that's
14+3+5 = 22.
Now judging by what I want done which is to determine the amount of
bandwidth consumed on logon which of this is giving me a true picture
in which I can use in my bandwidth calculation.
What type of bandwidth are you interested in?
If you're curious how heavily the network on which you're capturing is
being used, the Sniffer's answer is probably closest to the right
answer, as the FCS *is* being transmitted.
The "total payload bytes" doesn't count packets with no payload, e.g.
ACK-only segments. 29884-24366 = 5518; 303-214 - 89, and 89*62 = 5518,
so the no-payload packets appear to be 62 bytes long. 22 bytes of
Token Ring header, 20 bytes of IP header, and 20 bytes of TCP header
add up to 62 bytes. Those packets *are* transmitted, so they do take
up bandwidth on the network.
Similarly, the Token Ring headers are transmitted.