[netflow-tools] Confusion on Packet Size
djm at mindrot.org
Wed Jan 23 03:03:24 EST 2008
On Mon, 14 Jan 2008, Andreas Rütten wrote:
> Hello list,
> I have some NetFlows collected with softflowd and I need some information
> about the meaning of some fields.
> The Flows I have are TCP connections with 1 packet by 46 or 60 Bytes.
> What will be counted for the field "bytes"?
> A Ethernet Paket have to be at least by 72 bytes. 64 for the minimum
> Ethernet Frame and 8 for Präambel and SFD.
> So it couldn't be the hole Packet.
> The Ethernet Payload has a minimum of 46 Bytes, so maybe a single TCP ACK
> or SYN Packet can be the one I have captured?
> 20 Bytes IP Header + 20 TCP Header + 6 Bytes X
> But then what are these 6 Bytes for?
> And what Packets are typical for 60 bytes?
The are probably TCP packets with options. 20 bytes IP header + 20 bytes
TCP header + Timestamp (10 bytes) + SACK (min 10 bytes) = 60 bytes
You can check for sure by tcpdumping the actual traffic that softflowd is
reporting and comparing (use "tcpdump -vvv" to see all the TCP bits).
More information about the netflow-tools