I created a tcpdump file:
tcpdump -i eth0 host xxx.208.xxx.59 -n -s 0 -vvv -w /tmp/dump.dmp
duration was about 3 hours.
This file now has 450 MB. Can I say now that the IP xxx.208.xxx.59 generated 450 MB traffic in 3 hours?
Asked
Active
Viewed 1,534 times
3
2 Answers
8
Yes, maybe, not necessarily.
A pcap file is not simply a byte-for-byte representation of the traffic that was sent/received. Things that will contribute to inaccuracies include:
- pcap file overhead. Every packet is timestamped, for instance.
- Impedance mismatch between pcap's idea of a "packet" and your understanding of what constitutes a "packet". The pcap file will have everything including the link-layer header, which is rarely considered part of a customer's traffic allowance for billing purposes.
- Missing packets. The pcap layer makes no assurances that all packets will actually be transferred into tcpdump's gentle care. Many packets may have been dropped (for a variety of reasons), and they won't be a part of the count you see.
If you want to account for traffic, do it properly, with port or netflow statistics retrieved from your core.
womble
- 95,029
- 29
- 173
- 228
-
thx. so you mean just adding a port, for example port 110 to the tcpdump comment? – Danzzz Aug 10 '12 at 01:08
-
2@Danzzz - no, he means performing your accounting on **switch ports**. This has nothing to do with IP ports. – EEAA Aug 10 '12 at 01:20
1
I would say yes. As it is my understanding the writer (-w) writes the packets byte-for-byte to /tmp/dump.dmp. But I'm only 80% sure...
That would include header information also, but that should be calculated into the throughput statistic.
UndeadBob
- 111
- 3
-
I don't know why I didn't think of this before, but it's also worth mentioning that the "-n" and "-vvv" is unnecessary until you read (-r) the /tmp/dump.dmp. Not sure about the "-s" so I usually leave it in. I've not run into a situation where it was totally necessary. – UndeadBob Aug 11 '12 at 18:44