This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Will ack.no of last packet from client (minus) seq.no of syn-ack from server give us how much data transferred from server to client?

0

I am looking a way to compute the data transfer from server to client.

Seq.no of syn-ack from server is 0(relative seq enabled) Ack.no of last packet from client is 158068267

By subtracting 158068267 from 0 we will get total number of bytes transferred from server to client.

However,the approach statistics>Conversations>TCP is showing 163837601 bytes transferred from B--->A

Any reason behind this difference?

asked 07 Mar '13, 12:30

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%


One Answer:

1

Statistics > Conversations > TCP shows the total number of bytes transferred including overhead, such as the TCP header, the IP header, the Ethernet header, any Ethernet padding on undersized frames, etc.

Subtracting the initial sequence number from the final sequence number will give you the total number of bytes of TCP data transferred (assuming the sequence number has not wrapped). This is payload only and does not include overhead.

answered 07 Mar '13, 12:46

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

That helps.Thanks!

(07 Mar '13, 12:52) krishnayeddula

What if i get, Less acknowledgement number and high sequence number.

What will be my transfer data session ?

Will this still valid - Subtracting the initial sequence number from the final sequence number will give you the total number of bytes of TCP data transferred ??

Please help.

alt text

(12 Mar '13, 09:48) adtmv7
1

AFAIK,Less acknowledgement and high sequence number will never happen. In your screen shot you are comparing sequence and acknowledgement from single host perspective that is why you are seeing high sequence number and low acknowledgement number but if you compare the sequence number of other end(which will be in syn-ack if it is server or in syn if it is client) with the acknowledgement of the one you are showing,ack number will outweigh(data transfer is incremental starting from 1 byte and goes on) the sequence number. Hope this clears...

(12 Mar '13, 11:50) krishnayeddula
1

IF you're using relative sequence numbers, and IF the sequence numbers haven't wrapped, and IF you captured the SYN and SYN/ACK, THEN the SEQ number is the number of bytes of TCP data transmitted by this host in this one TCP conversation up to this point, and the ACK number is the number of bytes transmitted by the other host. If you want to be really accurate, subtract one byte in each direction for the phantom byte during connection establishment, and if this is the last packet and the connection has been closed, subtract another byte in each direction for the phantom byte during teardown.

(12 Mar '13, 12:08) Jim Aragon