tcpdump file size == traffic size?

Question

I created a tcpdump file:

tcpdump -i eth0 host xxx.208.xxx.59 -n -s 0 -vvv -w /tmp/dump.dmp

duration was about 3 hours.

This file now has 450 MB. Can I say now that the IP xxx.208.xxx.59 generated 450 MB traffic in 3 hours?

score 8 · Accepted Answer · answered Aug 10 '12 at 00:54

Yes, maybe, not necessarily.

A pcap file is not simply a byte-for-byte representation of the traffic that was sent/received. Things that will contribute to inaccuracies include:

pcap file overhead. Every packet is timestamped, for instance.
Impedance mismatch between pcap's idea of a "packet" and your understanding of what constitutes a "packet". The pcap file will have everything including the link-layer header, which is rarely considered part of a customer's traffic allowance for billing purposes.
Missing packets. The pcap layer makes no assurances that all packets will actually be transferred into tcpdump's gentle care. Many packets may have been dropped (for a variety of reasons), and they won't be a part of the count you see.

If you want to account for traffic, do it properly, with port or netflow statistics retrieved from your core.

score 1 · Answer 2 · answered Aug 10 '12 at 00:48

1

I would say yes. As it is my understanding the writer (-w) writes the packets byte-for-byte to /tmp/dump.dmp. But I'm only 80% sure...

That would include header information also, but that should be calculated into the throughput statistic.

answered Aug 10 '12 at 00:48

UndeadBob

2 Answers2