tcpstat is a mature tool that reports bandwidth, number of packets, packets per second, average packet size, standard deviation of packet size, interface load, etc.
http://www.frenchfries.net/paul/tcpstat/ g On Tue, 9 Mar 2004 11:50:16 -0600 (CST) alex medvedev <[EMAIL PROTECTED]> wrote: > hi, > > no, i didn't try to compare my results with any other programs. > i just wrote the regex as a quick approximation :) > > assuming your dump file is filtered, this should be more precise: > > #include <stdio.h> > #include <stdlib.h> > #include <signal.h> > #include <pcap.h> > > > pcap_t *pd; > char errbuf[PCAP_ERRBUF_SIZE]; > int total_packets = 0; > int total_length = 0; > > > void > countit( u_char *user, const struct pcap_pkthdr *h, const u_char *sp) > { > total_length += h->len; > total_packets++; > } > void > sig(int signo) > { > printf("total len = %d, total packets = %d\n", total_length, > total_packets); > } > > int > main(int argc, char *argv[]) > { > int count; > int linktype; > char *ifname; > bpf_u_int32 localnet, netmask; > > > (void)signal(SIGINT, sig); > pd = pcap_open_offline(argv[1], errbuf); > if (! pd) { > puts(errbuf); > exit(1); > } > linktype = pcap_datalink(pd); > printf("linktype %s\n", pcap_datalink_val_to_name(linktype)); > > localnet = 0; > netmask = 0; > count = pcap_loop(pd, -1, countit, 0); > if ( count < 0) > puts(pcap_geterr(pd)); > > printf("total len = %d, total packets = %d\n", total_length, > total_packets); > > return 0; > } > > thanks, > > -alexm > 11:16 09/03/2004 > > On Tue, 9 Mar 2004 [EMAIL PROTECTED] wrote: > > > Hi, alex, > > Did you try to compare your result with other program such as Ethereal? > > I met difference. > > My tcpdump command is similar to yours: > > tcpdump -v -r host1.tcpdump | grep "len" | sed s/.*len// | cut -d ')' -f 1 | awk > > '{sum+=$1;print sum}' | tail -1 > > > > The host1.tcpdump file is the already dumped file with all tcp packets. The above > > command returned 713596 bytes, but when I use ethereal to get the summary, its > > 800697 bytes. And another software also showed 800697 bytes. > > > > Where is the potential problem by using that tcpdump filter? > > > > WC > > > > ----- Original Message ----- > > From: alex medvedev <[EMAIL PROTECTED]> > > Date: Monday, March 8, 2004 6:56 pm > > Subject: Re: [tcpdump-workers] how to get total packets length by tcpdump > > > > > hi, > > > > > > this is a very rough regex and you may have to tweak it but it > > > worked for > > > me :) > > > > > > # tcpdump -v -r tcpdump-raw.dump tcp | grep "length:" |grep -v > > > "^[^0-9]" | sed s/.*length:// | cut -d')' -f 1 | awk '{sum+=$1; print > > > sum}' > > > > > > all in one line. > > > the last number is the answer. > > > > > > -alexm > > > 17:51 08/03/2004 > > > > > > On Mon, 8 Mar 2004 [EMAIL PROTECTED] wrote: > > > > > > > Greetings, > > > > > > > > Is there any simple way to calculate the total length (in bytes) > > > of all tcp packets in a tcpdump file? I mean, is it possible that > > > I can do this by adding some options to tcpdump? > > > > > > > > WC > > > > > > > > - > > > > This is the TCPDUMP workers list. It is archived at > > > > http://www.tcpdump.org/lists/workers/index.html > > > > To unsubscribe use mailto:tcpdump-workers- > > > [EMAIL PROTECTED]> > > > > > > - > > > This is the TCPDUMP workers list. It is archived at > > > http://www.tcpdump.org/lists/workers/index.html > > > To unsubscribe use mailto:tcpdump-workers- > > > [EMAIL PROTECTED] > > > > > > > > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED] -- George Bakos Institute for Security Technology Studies Dartmouth College [EMAIL PROTECTED] 603.646.0665 -voice 603.646.0666 -fax pub 1024D/081ECB85 1999-04-09 George Bakos <[EMAIL PROTECTED]> Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
