Use IP or TCP packet length to analyze how much data transferred

581 views Asked by At

I am pretty new to network traffic. I am trying to get the size of data transferred every second in the internet traffic. I downloaded one pcap file, and I'm using tcpdump to analyze it. By running

 tcpdump -tttt -v -r sample.pcap

I get some records like below:

21:00:00.539514 IP (tos 0x0, ttl 118, id 0, offset 0, flags [none], proto ICMP (1), length 32)
111.195.18.190 > host-203-203-22-140.net: ICMP echo reply, id 11884, seq 4803, length 12

According to the tutorial (http://packetpushers.net/masterclass-tcpdump-interpreting-output/), the first length (32) is the entire IP packet length, and the second length (12) is the TCP packet length.

I want to know how much data transferred between two hosts. Which one should I use, IP length, TCP length or something else?

1

There are 1 answers

0
kaitoy On

An application data (maybe a video, a message, a picture, etc) is sent with a few headers of lower layers (TCP header (layer 4), IPv4 header (layer 3), Ethernet header (layer 2), etc.). A TCP packet is an application data + TCP header, an IPv4 packet is a TCP packet + an IPv4 header, and so.

IP packet length is TCP packet length + IP header length. This is why the first length and the second length are different.

Headers may be changed by network devices between the two hosts and so it's no way to think about how much data transferred between the two. If you want to know the length of each packet in the pcap file, run tcpdump -e -r sample.pcap and see the first length of each line.