Hi, I'm trying to understand traffic bytes reported in iptables. What I did was, I downloaded a 5MB file from a server, then checked the bytes via command "iptables -nvx -L ...". At the same time, I have captured the traffic using tcpdump, which I then viewed in Wireshark. With wireshark, I added up all the bytes (with and without header) at all the different layers. The closest I can get wireshark to show the same data bytes as iptables is at the IP Layer (data + header). What puzzles me is that, wireshark shows 12 bytes (incoming traffic) more than iptables, but the number of incoming packets are the same as reported by iptables. Outgoing bytes and packets are exactly the same as iptables. I have repeated this test many times, by downloading 5MB and 100MB files and the results are the same - always 12 bytes of incoming traffic in extra. Does anyone have an explanation for this? This is done in a controlled environment, i.e., only the http packet goes through iptables. Thanks. Shirley -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html