This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Which IP sent the biggest amount of data?

0	i have a pcap file to analyse and i want to find out which ip sent the biggest amount of data .. what is the steps? ip data asked 27 Mar '17, 14:34 seeker 11●1●1●3 accept rate: 0%

One Answer:

Use the Statistics menu to look at the Endpoint statistic, and select the IP tab.

answered 27 Mar '17, 14:35

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

i found tabs named (Bytes A-> B) and (Bytes B->A) each tab carries a different size number, what is the difference between them?

(27 Mar '17, 14:40) seeker

I think you went to "Conversations" instead of "Endpoints", which lists two IPs talking to each other (A and B). In the endpoint statistic, there is no A and B :-)

(27 Mar '17, 14:42) Jasper ♦♦

in "Endpoints" there is two IPs in two separated lines, the first line the first IP sent 100 from A to B and sent 50 from B to A, the second line the second IP sent 50 from A to B and sent 100 from B to A (the reversed statics from line 1), does that mean the first IP sent the biggest amount "100"?

(27 Mar '17, 14:54) seeker

Yes, you're right, I didn't notice, those column labels are misleading in version 2.x (I think they're plain wrong, tbh) - they should read "Tx Packets", "Tx Bytes", "RX Packets", "Rx Bytes", with "Tx" = "Transmitted" and "Rx" = "Received", as they were in version 1.x

(27 Mar '17, 14:59) Jasper ♦♦

thanks a lot, i should they are plain wrong too with Tx and Rx it became easier :-)

(27 Mar '17, 15:04) seeker

I added a bug report to the bugtracker here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13526