Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] capture file overhead?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 17 Dec 2004 09:45:27 -0800
M. Snigel wrote:

I'm trying to use Ethereal (on WinXP) to measure the
network traffic over time on a networks interface, by
basically capturing the traffic into rotating files
and then regularly running a script checking the sizes
and sequential numbers of the capture files.
Well, that's *a* way to measure network traffic. It's not necessarily the *best* way to do so, however; for one thing, if you *only* want to measure the overall traffic, and don't actually need to save the traffic, you might want to run a program such as ntop: 

	http://www.ntop.org/


Now, my question is, how much overhead would these
files contain? That is, how much data does ethereal
add itself to the captured data when it creates the
files?


Ethereal uses libpcap format, which, in its current form, adds:

	1) a file header, which is 24 bytes long, at the beginning of the file;
2) a packet header, which is 16 bytes long, at the beginning of each packet.
In the future, a "next-generation" libpcap format will probably be introduced; it will add more per-packet and per-file information, and the amounts of information will be variable.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube