On Tue, 2004-03-09 at 17:11, [EMAIL PROTECTED] wrote:
> Hi, alex,
> Did you try to compare your result with other program such as Ethereal?
> I met difference.
> My tcpdump command is similar to yours:
> tcpdump -v -r host1.tcpdump | grep "len" | sed s/.*len// | cut -d ')' -f 1 | awk
> '{sum+=$1;print sum}' | tail -1
>
> The host1.tcpdump file is the already dumped file with all tcp packets. The above
> command returned 713596 bytes, but when I use ethereal to get the summary, its
> 800697 bytes. And another software also showed 800697 bytes.
>
> Where is the potential problem by using that tcpdump filter?
Maybe some tools include link-layer bytes (e.g., 14 bytes for ethernet)
in the calculation, while others look only at IP + above? The shell
magic above uses the length provided in the IP header.
Regards,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
