Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

netstat vs. ethereal

Status
Not open for further replies.
googoog

googoog

Technical User
Joined
Jan 23, 2007
Messages
3
Location
US
Hi, why does netstat show different number of TCP segments received/transmitted than Ethereal? Is there any way of getting the same number?

When, for example, I start an ftp session with a remote server and check the number of segments received (at the same time on netstat and Ethereal) when I download a file from the server. I find that the number of TCP segments given by Ethereal are less than those given by netstat. I am looking at statistics for the session in netstat using netstat -s -p tcp.

Thanks
 
Sort by date Sort by votes
My first guess, and this is simply a guess, is that ethereal may not be counting the 3 way handshake packets (2 or 4 additional packets per port used) as segments and that netstat is. I'd have to do some testing to figure it out for sure, but it seems logical based on some trivial research on netstat.

Another possibility is that there are additional TCP sessions open on your machine that you are filtering in your ethereal capture.

Can you tell us what the count difference is and whether you are using PASV for your FTP or not?


pansophic
 
Upvote 0 Downvote
No I am not using PASV. The thing is that when I read each packet on Ethereal, it shows me exactly the same procedure as it should be during an FTP data transfer. It starts showing from the "PORT" command from the client to the final message of closing port 20 (including the handshakes). I am using Ethereal on Windows XP. I close all other TCP connections while performing this test. The thing is that when I download the same file from the same server the difference between the segments shown by Ethereal and netstat stays the same. Ethereal shows 44 segments from server to client on port 20 and 3 or sometimes 4 on port 21. While netstat shows 56 or sometimes 57 TCP segments received. I am transferring data in binary mode. The file size is 55719 bytes and Ethereal shows that each TCP segment is of size 1460 bytes (making an MTU of 1500 bytes). One thing that I found out was that probably this is because Ethereal uses WinPcap library and there might be some CRC packets dropped that are not detected by Ethereal but detected by netstat. But then again, how come the difference is always the same.

Thanks

PS: I tried using the ASCII mode as well as promiscuous mode in Ethereal but the difference stays the same. Using promiscuous wasn't gonna cause much difference anyways.

 
Upvote 0 Downvote
When you are doing the Ethereal capture, are you filtering by IP or MAC or by something more stringent?

I get 17 packets of protocol FTP when I capture an FTP session in Ethereal. That includes a single directory change on the server. Is it possible that Ethereal is not counting these packets in the statistics that you are looking at?

And where are you grabbing the segment counts in Ethereal?

Also, are you seeing any retransmissions in the Ethereal capture?

I'm assuming that you are pulling the statistics from the same FTP session for Ethereal and netstat?


pansophic
 
Upvote 0 Downvote
When you are doing the Ethereal capture, are you filtering by IP or MAC or by something more stringent?

Re: I am checking the TCP Segments and filtering with TCP segments, however, checking in the Conversation (in Statistics)shows the same result.

I get 17 packets of protocol FTP when I capture an FTP session in Ethereal. That includes a single directory change on the server. Is it possible that Ethereal is not counting these packets in the statistics that you are looking at?

Re: I have checked, and varified. Ethereal shows the Request Packets to change the directory and Receive Packets for approval from the server.

And where are you grabbing the segment counts in Ethereal?

Re: I just start the Capture in Ethereal and check the results once I am done downloading a file.

Also, are you seeing any retransmissions in the Ethereal capture?

Re: Sometimes yes, but not that much. I think the Conversation in Statistics shows the actual number of TCP Packets exchanged during the session minus the retranmitted ones. I am only interested in the ones sent from the server and received by my machine.

I'm assuming that you are pulling the statistics from the same FTP session for Ethereal and netstat?

Re:Yes, I start an FTP session, go to a directory, change the mode of transfer to binary, check the number of TCP received segments shown by netstat, start Capture on Ethereal, then download a file, stop Ethereal and check the number of TCP segments shown by Ethereal and netstat check the segment size shown by Ethereal and I am trying to compare the size of the file to the number of segments received by my machine.

I hope I did ok in my replies.

Now, my question is, are you getting the same number of Segments????? If you are then MAN there is something wrong with my machine!!! btw I am using Windows XP

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

uuunnniiixxx
  • Locked
  • Question Question
Fieldbus vs TCP/IP
Replies
2
Views
831
meneerB
meneerB
turnbui
  • Locked
  • Question Question
server: connection vs request - help needed to understand programming theory
Replies
1
Views
389
Noway2
Noway2
mberni
  • Locked
  • Question Question
cacti vs. Informix Server
Replies
2
Views
270
mberni
mberni
raov
  • Locked
  • Question Question
Understanding netstat -rn in solaris
Replies
2
Views
217
rclarke250
rclarke250
peterlyttle
  • Locked
  • Question Question
WAN Connections vs Window Size etc
Replies
0
Views
206
peterlyttle
peterlyttle

Part and Inventory Search

Sponsor

Back
Top