I'm working on an application that monitors network traffic by sniffing packets with libpcap. For a TCP session, my goal is to compute the amount of data that was uploaded and downloaded in the session. I have attempted to do this using the sequence and acknowledgement numbers of the SYN-ACK and FIN-ACK or RST-ACK packets.
I seem to get accurate upload and download totals for FTP, SSH, and wget, which I have tried on my local machine.
When I deploy the program on a large university network, I notice a very small percentage of cases where the upload and download totals are incorrect. I know this because in some of these cases, my calculation gives me negative values!!
My formula is this:
download total = FIN or RST packet sequence number - destination host ISN (initial sequence number)
upload total = FIN or RST packet acknowledgement number - source host ISN
I obtain the ISN's from the SYN-ACK packet that initiated the TCP session. I only use packets where the ACK flag is also set.
Is there anything wrong with my formula that would cause it to produce erroneous results (such as a negative value) in a small number of cases? If not, is there anything else that could be causing the occasional problem? Thanks very much.
I
20081119-EE-VQP-46 - Hierarchy / EE_QW_2_20070628
