Tcpdump file size == traffic size

packet-sniffersniffingtcpdump

I created a tcpdump file:

tcpdump -i eth0 host xxx.208.xxx.59 -n -s 0 -vvv -w /tmp/dump.dmp

duration was about 3 hours.

This file now has 450 MB. Can I say now that the IP xxx.208.xxx.59 generated 450 MB traffic in 3 hours?

Best Answer

Yes, maybe, not necessarily.

A pcap file is not simply a byte-for-byte representation of the traffic that was sent/received. Things that will contribute to inaccuracies include:

  • pcap file overhead. Every packet is timestamped, for instance.
  • Impedance mismatch between pcap's idea of a "packet" and your understanding of what constitutes a "packet". The pcap file will have everything including the link-layer header, which is rarely considered part of a customer's traffic allowance for billing purposes.
  • Missing packets. The pcap layer makes no assurances that all packets will actually be transferred into tcpdump's gentle care. Many packets may have been dropped (for a variety of reasons), and they won't be a part of the count you see.

If you want to account for traffic, do it properly, with port or netflow statistics retrieved from your core.

Related Topic