Hi
i run tcpdump while file(with 4MB size) is downloading with follow filter:
"tcpdump -w pcapfile1 'tcp and host ’ "
then i apply filtering on pcapfile1:
"tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-
fin>tcp-rst)!=0 ’ "
then i measured size of data by Bro version :1.2.1
but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB)
OS: Linux(Fedora Core 8)
you can perform this work and measure sum of data that is received for two files