This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

bytes on wire vs. bytes captured

0

hi guys,

can you please tell me, what is the difference between Bytes on wire vs. bytes captured alt text

Bytes on wire = 550 bytes. The log of the application I'm working with says "Sending 508 bytes to".

8 bytes UDP Header + 20 TCP + 14 Eth II = 550 bytes

what is this value bytes captured ?

Next what i don't understand: alt text

the UDP "Length" filed =A field that specifies the length in bytes of the UDP header and UDP data.

wait a minute "UDP header and UDP data" so the Length equals to 516 bytes and Data 54 bytes , sp 516 - 54 = UDP header ??? is it not 8 bytes ?

asked 25 Sep '15, 05:55

adasko's gravatar image

adasko
86343842
accept rate: 0%

2 Answers:

2

You can look here: https://blog.packet-foo.com/2015/08/frame-bytes-vs-frame-file-headers/

answered 25 Sep '15, 06:05

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

1

96 Bytes captured -(8 UDP Header +20 IP Header +14 ETH Header) = 54 Bytes left for actual captured Data

Wireshark shows you at this point of the tree only the actual captured data (info)

(25 Sep '15, 13:21) Christian_R

1

When you start a packet capture you can specify how many bytes from a packet you want to capture e.g. the default with tcpdump is 96 bytes. You can change it with the -s option. If you say -s0 you will capture the full packet.

answered 25 Sep '15, 11:32

Roland's gravatar image

Roland
7642415
accept rate: 13%

ok, so the blog and Roland's comment helped me to understand it, now it's clear but what about the second sreen shot? it says UDP length equals 516 bytes but Data = 54 bytes so how can the UDP header by 8 bytes long ?

(25 Sep '15, 12:25) adasko

What version of Wireshark are you using?

(25 Sep '15, 12:51) Roland
1

Only 96 bytes were captured. Subtracting 14 bytes for the Ethernet header, 20 bytes for the IP header, and 8 bytes for the UDP header, leaves 54 bytes of UDP data in the packet captured by Wireshark. In other words, because only 96 bytes were captured, Wireshark only has the first 54 bytes of the 508-byte UDP payload. The 508-byte payload, plus the 8-byte UDP header, addes up to 516 bytes, so that's what is in the Length field of the UDP header, and the Length field is included in the 96 bytes that were captured. That value is the length of the UDP datagram in the original packet as transmitted on the wire, not the truncated packet captured by Wireshark.

(25 Sep '15, 13:18) Jim Aragon

thank you all guys. The link did in fact answer all my question!

Best Regards

Adam

(27 Sep '15, 14:32) adasko