Ask Your Question
0

How to find size of file downloaded?

asked 2019-02-16 00:57:40 +0000

SunMan gravatar image

I am looking for a step by step demo to know how to find the size of file downloaded.

Let's say I am downloading this https://www.7-zip.org/a/7z1806-x64.exe and the file after download shows as 1,443,680 bytes = 1410KB = 1.37 MB.

Can someone do a demo on how to find/calculate this size using wireshark? I need this to find out an issue where large files fail to download and I am suspecting that it is downloading partially.

thanks in advance... SunMan

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2019-02-19 01:09:51 +0000

Hi,

This will be difficult because www.7-zip.org is using HTTPS.

If the file was downloaded over HTTP then you could simply check the size before exporting it from the capture using

File - Export Objects - HTTP...

You would see the size (in KB) for your file.

(You may need to enable "Allow subdissector to reassemble TCP streams" in TCP protocol preferences)

But because this 7-zip file is served over HTTPS everything is encrypted.

You can always "eyeball it" by using "Follow TCP." (CTRL+ALT+SHIFT+T)

Using the correct TCP stream index, you can "follow" the TCP stream in a new Window that displays the data.

This data is encrypted but Wireshark does calculate the size of this "conversation.”

In the bottom left corner there is a drop-down menu.

Select the correct direction (Probably SERVER_IP:443 -> YOUR_IP:YOUR_PORT)

You should see the size of all the packets for that direction.

It won't be equal the exact size of your file because of the packet headers.

Assuming headers for Ethernet (14), IPv4 (20) and TCP (20) you can multiply the number of packets for that direction by 54.

This will more or less precisely give you the size of all the packet headers.

So if you need a 1000 packets to transfer the file than you may subtract 54 000 bytes from the size of the conversation in "Follow TCP" for that direction. (About 52,7 KB)

This should give you something close to the "real" size.

Hope this helps.

Cheers,

JF

edit flag offensive delete link more

Comments

size of all the packets for that direction 198.252.206.25:443 --> 192.168.1.21:22578 is 332 bytes. I think there is just one packet. is there anyway I can share the trace with you?

I have uploaded trace here: https://1drv.ms/u/s!AtGs0pMyD6owgyX4q...

SunMan gravatar imageSunMan ( 2019-02-20 01:33:38 +0000 )edit

Hi,

I looked at the PCAP.

It looks like something is wrong on the client (browser) side because we see it sends TLS 1.2 Encrypted Alerts followed by FIN, ACK. It's encrypted so I can't tell you what the alert is but we know it is enough to stop the transfer.

See frames 23, 155 and 157. (Looks like you tried 3 times.)

To see only each trials:

tcp.stream eq 1
tcp.stream eq 9
tcp.stream eq 10

Did you try using another browser or even another PC?

I see that there is about 160 ms of latency between your host and the server.

You can add a column "Delta Time Displayed" of type "Delta time displayed" to see that latency between TCP segments.

(In TCP preferences, check "Analyze TCP sequence numbers" and "Calculate conversation timestamp.”)

I don't know if this is expected but ...(more)

Spooky gravatar imageSpooky ( 2019-02-25 23:48:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-16 00:57:40 +0000

Seen: 14,791 times

Last updated: Feb 19 '19