This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to know, How much data transfer occurred in captured pcap file.

0

Can any one please tell me, How can I get to know, how much data is transferred in captured pcap file.

I know, we can check through statistics -> summary, but not sure whether it's a correct way to check data transferred or not.

Please help.

asked 07 Mar '13, 08:11

adtmv7's gravatar image

adtmv7
11113
accept rate: 0%

Can we check using last packet sequence and acknowledgement number ?

(07 Mar '13, 09:55) adtmv7

One Answer:

2

Statistics >Summary gives a bird's eye view of entire pcap trace.

If you want to explore data transfer in individual TCP/UDP Sessions Go to

Statistics > Conversations > TCP/UDP and

Click 2 times on Bytes so that you will see the data transfer from high to low.

answered 07 Mar '13, 11:29

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 07 Mar '13, 11:32

Thanks for the response,

Can we check using the "Last Packet" sequence or acknowledgement number ?

Eg: I downloaded 14 Mbytes of application, and captured pcap file, I want to check where I can find this downloaded data on pcap (As this figure is known to me, but what If i just want to know the total data transfer happened during certain interval), the data numbers I found it in acknowledgement number of last packet. Please correct me If I'm wrong.

Sequence number: 502 (relative sequence number) Acknowledgment number: 14722043 (relative ack number)

(07 Mar '13, 11:42) adtmv7
1

Can you compare the number you are mentioning(14722043) with the number you will find in Statistics > Conversations >TCP/UDP> Bytes B-->A? I suppose 14722043 is from server to client so there is an option to check how much data transfer performed between server to client ,client to server and both.

(07 Mar '13, 11:50) krishnayeddula

Hello kserasera,

Please check the image url link, for info.

alt text

(07 Mar '13, 12:25) adtmv7

alt text

(07 Mar '13, 12:26) adtmv7

With this information what specific session(you got 3 here) you are looking in to? If you decide on one just right click and apply as filter selected you can see the full packet xchange

(07 Mar '13, 12:42) krishnayeddula

I'm not really looking for specific sessions packets, I'm more interested in taking and note down data transfer for all session happened there.

Thanks, I saw your posted question, let's see responses.

(07 Mar '13, 13:23) adtmv7

@adtmv7,

Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(07 Mar '13, 14:53) grahamb ♦

Can we check using last packet sequence and acknowledgement number ?

You can do that to check how much data got transferred from client to server or server to client.

If you check the ack.no of last packet that client sent to server it will be the amount of data transferred from server(subtract 1 byte)

If you check the ack.no of last packet that server sent to client ;it will be the amount of data transferred from client(Subtract 1 byte)

As someone pointed out the approach i told includes overhead(IP header +TCP Header+Ethernet Header)

(07 Mar '13, 15:32) krishnayeddula

What if i get, Less acknowledgement number and high sequence number.

What will be my transfer data session ?

alt text

(12 Mar '13, 09:47) adtmv7

AFAIK,Less acknowledgement and high sequence number will never happen. In your screen shot you are comparing sequence and acknowledgement from single host perspective that is why you are seeing high sequence number and low acknowledgement number but if you compare the sequence number of other end(which will be in syn-ack if it is server or in syn if it is client) with the acknowledgement of the one you are showing,ack number will outweigh(data transfer is incremental starting from 1 byte and goes on) the sequence number. Hope this clears...

(12 Mar '13, 11:49) krishnayeddula
showing 5 of 11 show 6 more comments