I created a tcpdump file:
tcpdump -i eth0 host xxx.208.xxx.59 -n -s 0 -vvv -w /tmp/dump.dmp
duration was about 3 hours.
This file now has 450 MB. Can I say now that the IP xxx.208.xxx.59 generated 450 MB traffic in 3 hours?
packet-sniffersniffingtcpdump
I created a tcpdump file:
tcpdump -i eth0 host xxx.208.xxx.59 -n -s 0 -vvv -w /tmp/dump.dmp
duration was about 3 hours.
This file now has 450 MB. Can I say now that the IP xxx.208.xxx.59 generated 450 MB traffic in 3 hours?
Best Answer
Yes, maybe, not necessarily.
A pcap file is not simply a byte-for-byte representation of the traffic that was sent/received. Things that will contribute to inaccuracies include:
If you want to account for traffic, do it properly, with port or netflow statistics retrieved from your core.