Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Conversation and endpoints byte counts

From: Chris Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Sat, 9 Jul 2011 02:44:37 +0000 (UTC)
With my recent commit in r37945, it is now possible to view GRE-encapsulated IP
conversations and endpoints, which also include any other supported
conversations such as UDP and TCP as well.  However, when looking at the bytes
being counted as part of those conversations, I noticed that they were all the
same and in fact included the byte count for the entire packet rather than only
for the Layer3/4 that the conversation pertained to.  For example, I have a
Linux Cooked encapsulated packet as follows:

Linux cooked header: 16 bytes
IP header: 20 bytes
GRE: 8 bytes (normally 4 bytes, but it includes the optional 4 byte key field)
IP header: 20 bytes
UDP header: 8 bytes
UDP Payload: 52 bytes
TOTAL: 124 bytes

So given the above example, all conversations at all layers show the number of
bytes being transferred as 124 bytes.  I believe this to be in error.  The outer
IP conversation encompasses only 108 bytes, the GRE-encapsulated inner IP
conversation encompasses only 80 bytes, and the UDP conversation encompasses
only 60 bytes.

I started making changes to the gtk/conversation*.c and gtk/hostlist*.c files,
but thought that I should check with the other developers first to be sure this
is the right thing to do.  Thoughts?  Thanks.