Wireshark-dev: Re: [Wireshark-dev] Conversation and endpoints byte counts
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 08 Jul 2011 19:54:02 -0700
On Jul 8, 2011, at 7:44 PM, Chris Maynard wrote:

> With my recent commit in r37945, it is now possible to view GRE-encapsulated IP
> conversations and endpoints, which also include any other supported
> conversations such as UDP and TCP as well.  However, when looking at the bytes
> being counted as part of those conversations, I noticed that they were all the
> same and in fact included the byte count for the entire packet rather than only
> for the Layer3/4 that the conversation pertained to.

What exactly do people want with those byte counts?

> For example, I have a Linux Cooked encapsulated packet

...which means that you can't get a link-layer byte count that pertains to what was actually sent out over any network link.

If the entire frame length is counted, 802.11 with radio information would also give you bogus link-layer byte counts, as the radio metadata would be counted.