Can any one please tell me, How can I get to know, how much data is transferred in captured pcap file. I know, we can check through statistics -> summary, but not sure whether it's a correct way to check data transferred or not. Please help. asked 07 Mar '13, 08:11  adtmv7 |
One Answer:
Statistics >Summary gives a bird's eye view of entire pcap trace. If you want to explore data transfer in individual TCP/UDP Sessions Go to Statistics > Conversations > TCP/UDP and Click 2 times on Bytes so that you will see the data transfer from high to low. answered 07 Mar '13, 11:29  krishnayeddula edited 07 Mar '13, 11:32 Thanks for the response, Can we check using the "Last Packet" sequence or acknowledgement number ? Eg: I downloaded 14 Mbytes of application, and captured pcap file, I want to check where I can find this downloaded data on pcap (As this figure is known to me, but what If i just want to know the total data transfer happened during certain interval), the data numbers I found it in acknowledgement number of last packet. Please correct me If I'm wrong. Sequence number: 502 (relative sequence number) Acknowledgment number: 14722043 (relative ack number) (07 Mar '13, 11:42) adtmv7 1 Can you compare the number you are mentioning(14722043) with the number you will find in Statistics > Conversations >TCP/UDP> Bytes B-->A? I suppose 14722043 is from server to client so there is an option to check how much data transfer performed between server to client ,client to server and both. (07 Mar '13, 11:50) krishnayeddula Hello kserasera, Please check the image url link, for info.
(07 Mar '13, 12:25) adtmv7
(07 Mar '13, 12:26) adtmv7 With this information what specific session(you got 3 here) you are looking in to? If you decide on one just right click and apply as filter selected you can see the full packet xchange (07 Mar '13, 12:42) krishnayeddula 1 I posted a question related : (07 Mar '13, 12:58) krishnayeddula I'm not really looking for specific sessions packets, I'm more interested in taking and note down data transfer for all session happened there. Thanks, I saw your posted question, let's see responses. (07 Mar '13, 13:23) adtmv7 @adtmv7, Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information. (07 Mar '13, 14:53) grahamb ♦ Can we check using last packet sequence and acknowledgement number ? You can do that to check how much data got transferred from client to server or server to client. If you check the ack.no of last packet that client sent to server it will be the amount of data transferred from server(subtract 1 byte) If you check the ack.no of last packet that server sent to client ;it will be the amount of data transferred from client(Subtract 1 byte) As someone pointed out the approach i told includes overhead(IP header +TCP Header+Ethernet Header) (07 Mar '13, 15:32) krishnayeddula What if i get, Less acknowledgement number and high sequence number. What will be my transfer data session ?
(12 Mar '13, 09:47) adtmv7 AFAIK,Less acknowledgement and high sequence number will never happen. In your screen shot you are comparing sequence and acknowledgement from single host perspective that is why you are seeing high sequence number and low acknowledgement number but if you compare the sequence number of other end(which will be in syn-ack if it is server or in syn if it is client) with the acknowledgement of the one you are showing,ack number will outweigh(data transfer is incremental starting from 1 byte and goes on) the sequence number. Hope this clears... (12 Mar '13, 11:49) krishnayeddula showing 5 of 11 show 6 more comments |
Can we check using last packet sequence and acknowledgement number ?