Traffic accounting in iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm trying to understand traffic bytes reported in iptables. What I
did was, I downloaded a 5MB file from a server, then checked the bytes
via command "iptables -nvx -L ...". At the same time, I have captured
the traffic using tcpdump, which I then viewed in Wireshark. With
wireshark, I added up all the bytes (with and without header) at all
the different layers. The closest I can get wireshark to show the same
data bytes as iptables is at the IP Layer (data + header). What
puzzles me is that, wireshark shows 12 bytes (incoming traffic) more
than iptables, but the number of incoming packets are the same as
reported by iptables. Outgoing bytes and packets are exactly the same
as iptables. I have repeated this test many times, by downloading 5MB
and 100MB files and the results are the same - always 12 bytes of
incoming traffic in extra. Does anyone have an explanation for this?
This is done in a controlled environment, i.e., only the http packet
goes through iptables.

Thanks.

Shirley
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux