Reputation: 8670
Find data transfered by wireshark on pcap file
I have a huge pcap file. I want to know facebook usage in terms of data transfered (upload, download). For that, I am using wireshark to read this file. From a question on stackoverflow , there are many fields that can be used to find bytes.
frame.len==243
ip.len=229
udp.length==209
data.len=201
Now, I have test frame.len and ip.len both gives different results. What I should consider correct ? I am a newbie in networks terminology and I have to just find correct data transfered.
Upvotes: 0
Views: 2442
Answers (1)
Reputation: 3153
What happens, when you connects to server and requests some simple page:
- Server application generates requested data (e.g.
<body>Hello world</body>string) and passes it to HTTP layer - HTTP layer generates necessary header according to RFC (specifies HTTP version, status code, content type etc), prepends it to generated data and pass everything to TCP layer
- TCP layer may break data into more than one pieces (not our case, message is already too small) and prepend necessary info for transport layer to each piece (src/dst port number, sequence number, some flags, checksum etc), then passes it to IP level
- IP layer prepends necessary info for routing (source/dest addresses, TTL and other stuff), then passes it to lower layer (e.g. Ethernet)
- Ethernet adds its part (MAC addresses, maybe VLAN tags) and pushes all to physical device
- Resulted data is sent byte-by-byte from server's NIC to network
So your question is actually up to you. What do you want to measure? Is it "data, which I need to display excluding all auxiliary info"? Or is it "all number of bytes I need to send/receive for getting this lovely cat picture"? Here is a list of fields to get size of each part:
- To get data lenght only (as string, unfortunately):
http.content_length_header == "606" - To get (data + HTTP header) length:
tcp.len == 973 - To get (data + HTTP + TCP + IP layers):
ip.len=1013 - To get every byte sent:
frame.len == 1027
If you want to measure bandwidth occupation, use frame.len. If you're interested in "pure site weight", it should be independent from environment, so use http.content_length_header. Things might become more complicated on high level considering the following:
- Era of HTTPS means you can't easily observe HTTP content in traces, so
tcp.lenmight be the highest option - Some data (e.g. audio, video) is transferred over different protocol stack (e.g. IP - UDP - RTP)
Upvotes: 1
Related Questions
- How do I use tshark to print request-response pairs from a pcap file?
- Filter a PCAP file using tshark : show ip source>ip destination:info in a txt file
- Extracting PCAP using Tshark
- Understanding tshark output
- Continuously feeding pcap files to tshark/wireshark
- how to extract data from pcap file
- Find how much data has been transferred from pcap data
- where in the sources of Wireshark I can see the calls to the pcap?
- plaintext output from pcap in tshark (with options from wireshark?)
- Getting particular information out of pcap files