Packet Lengths

download-slow.pcap

The size of a single packet or group of packets can tell you a lot about a situation. Under normal circumstances, the maximum size of a frame on an Ethernet network is 1,518 bytes. When you subtract the Ethernet, IP, and TCP headers from this number, that leaves you with 1,460 bytes that can be used for the transmission of a layer 7 protocol header or data. With that knowledge, you can begin to use the distribution of packet lengths in a capture to make some educated guesses about the traffic.

Opening the file download-slow.pcap will provide a great example of this. Once the file is opened, select Statistics ▸ Packet Lengths and click Create Stat. The result is the window shown in Figure 5-12.

Figure 5-12. The Packet ...

Get Practical Packet Analysis, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.