<br><div class="gmail_quote"><div><div class="Wj3C7c">Hi
<div class="gmail_quote"><div> </div>
<div>i want measure size of data that transfer in per side(how many recieve and how many send)</div>
<div> </div>
<div>I have downloaded one file with size:almost 4MB</div>
<div>and capture its with tcpdump(only with filtering on tcp header and on my IP )</div>
<div>and sum of received data in connections almost is:4MB (this sum
have been measured in Bro via field of endpoint size in connection) </div>
<div>then i filter same output of tcpdump only for tcpflags(<b>SYN,RST,FIN</b>) and save with pcap format</div>
<div>and sum of received data in connections almost is:1MB<br><br>(i run tcpdump while file(with 4MB size) is downloading with follow filter:<br>"tcpdump -w pcapfile1 'tcp and host <MY IP ADDRESS>' "<br>
then i apply filtering on pcapfile1:<br>"tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-<div>fin|tcp-rst)!=0 ' "<br>
then i measured size of data by Bro version :1.2.1<br>but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB)<br>OS: Linux(Fedora Core 8) )<br>you can perform this work and measure sum of data that is received for two files</div>
</div>
<div> </div>
<div>i don't know reason of this <span>repugnance</span> </div>
<div>i need measure size of data that transfer in per side of connection really while i have filter network traffic only</div>
<div>for <b>SYN,RST,FIN packet header</b></div>
<div> </div>
<div>how to solve this problem?</div>
<div> </div>
please help me<br clear="all">thanks<br clear="all"><font color="#888888"><br></font></div>-- <br>Talebi Mazraeh Shahi Hossein <br>
</div></div></div><br><br clear="all"><br>-- <br>Talebi Mazraeh Shahi Hossein <br>