Wireshark-users: Re: [Wireshark-users] 32768 bytes missing in capture file
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 18 May 2008 17:16:34 +0200
On Tue, May 13, 2008 at 08:43:05PM -0700, Deepti Kumar wrote:
> > > 
> > > > (2) What are these negative values?
> > > 
> > > That should not happen. I think there might be a bug in the code 
> > > that displays these messages, could you please open a bug report on
> > > http://bugs.wireshark.org and attach the capture file that shows
> > > this behavior? I will try to have a look at it when time permits :-)
> > 
> > Well, I could not resist to look into this issue already. There were
> > indeed some errors in the reassembly routine. I have committed a fix.
> > You can download an automated build in a couple of hours from:
> > 
> > http://www.wireshark.org/download/automated/
> > 
> > (please make sure you get a file with a number higher than 25289)

> Thank you Sake, for the prompt reply.
> I'll download the fixed version but before that I wanted to know 
> something else as well.
> 
> Is it not possible to determine correctly the number of bytes on the wire?
> For instance I want to determine the number of bytes that were exchanged 
> in an HTTP vs HTTPS request. Is it not possible to determine how much 
> traffic is exchanged when i make an HTTP request? I cannot do so with 
> "Follow TCP Stream" option because as we saw it misses reading some 
> bytes. Is there any other option?

It is indeed possible to determine the number of bytes on the wire 
correctly. But is only possible if the capture file contains all
traffic from the conversation. This seems trivial, but there are
two main  reasons why it might not be the case:

- mirrored traffic usually has less priority to a switch, so if
  it's busy, it might be the first packets to be dropped.

- captures high volumes of traffic might result on packet discards
  on the capturing device

If you do have a capture file that contains all the traffic, you need
to think about what it is exactly that you want to know:

- Is it the number of bytes on the wire, ie, eth-headers, ip-headers,
  tcp-headers, http-headers and http-data?

- or maybe just the object size of the objects transmitted?

The first can be determines when you use the "conversations" option
in the statistics menu. Choose TCP and you're set. The last one is
a bit trickier, since follow-tcp stream will give you a summary of
all tcp data, ie, http-header and http-body (object).

Hope this helps,
Cheers,
    Sake


PS  It is better to ask these questions on the mailing list instead
    of directly to list-members. That way other people can repsond
    to your question too, but more importantly, other people might
    learn from your question or the answers. I CC'd the list again :-)