Ask Your Question

Trying to Understand Protocol Hierarchy Statistics

asked 2020-08-24 15:13:49 +0000

Serch4 gravatar image

I need to figure out how much bandwidth an IoT device used in the last 24hrs. I did a packet capture of the equipment for the last 24hrs, and now I'm looking at the Protocol Hierarchy Statistics to try and figure out the bandwidth usage.

However, I am a bit confused on why the frame bytes are so much higher than then Ethernet bytes. I am obviously not understand something, :(... According to the developer, the device should have sent 1.65Mb of data in 24hrs.

Can someone please point me in the right direction?

image description

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2020-08-24 15:44:31 +0000

Chuckc gravatar image

Would Statistics->Conversations or Statistics->Endpoints be better for this data?

Frame includes all bytes. Ethernet just the header and padding bytes.
Edit: the GUI flags padding as Ethernet but Protocol Hierarchy only includes the header bytes.
image description

edit flag offensive delete link more


I would be remiss by not including the obligatory link to the documentation (User's Guide ) which has a good explanation.

Chuckc gravatar imageChuckc ( 2020-08-24 18:37:46 +0000 )edit

Would Statistics->Conversations or Statistics->Endpoints be better for this data?

I would say yes. There are some of us who aren't all that thrilled with the current PHS implementation. If you're looking to answer the question posed by @Serch4, then you won't find it in the PHS, at least not without manually adding up the relevant Bytes from each layer, but this requires some assumptions about such things as IP and TCP header sizes and whether the Ethernet FCS bytes are present or not.

In any event, Bug 1885 contains the history of this implementation.

cmaynard gravatar imagecmaynard ( 2020-08-25 20:01:47 +0000 )edit

Thank you for the replies, looks like I will have to do some more reading to fully understand what I am looking for. It wasn't as easy of a task as I figured it was going to be. Actually quite surprised why it's so cumbersome to get such basic information out of a packet capture.

I will do some additional reading and hopefully, all this comes together.

Serch4 gravatar imageSerch4 ( 2020-09-01 14:27:03 +0000 )edit

answered 2020-08-24 15:41:21 +0000

grahamb gravatar image

The byte counts for everything except the frame is those bytes that are directly attributable to that protocol, e.g. for Ethernet, they are the bytes for the Ethernet headers (and possibly any trailers) and not including the payload.

In your case there were 67396 Ethernet packets and 943544 bytes, which gives 943544/67396 = 14 bytes, i.e. a standard Ethernet header.

Protocols may also be counted multiple times in a frame, e.g. ICMP messages often have more than 1 IP header.

As it seems your IoT data is carried over TLS, the actual data transmitted will be extended by any TLS overhead, e.g. encryption block size etc.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-08-24 15:13:49 +0000

Seen: 67 times

Last updated: Sep 01