Difference between # of Packets in Moloch and Wireshark

427 views
Skip to first unread message

Hemant Gautam

unread,
Aug 19, 2013, 3:31:26 PM8/19/13
to moloc...@googlegroups.com
Hello,

Moloch is running on a single host I imported a 100MB pcap file using moloch-capture. 
Client: 192.168.1.10 
Server: 192.168.1.1

When I apply this filter in Moloch:
ip ==192.168.1.10 && port == 3132  Moloch shows me 18 Packets from 192.168.1.10 to 192.168.1.1.

I opened same file in Wireshark and applied this filter
ip.addr == 192.168.1.10 && tcp.port == 3132    Wireshark shows 34 packets.

Moloch isn't showing the other 16 packets where were from 192.168.1.1 to 192.168.1.10.

Also, how do I read the Bytes column? What are the 2 numbers like 0/1080?

Thanks

Andy

unread,
Aug 20, 2013, 8:35:56 AM8/20/13
to moloc...@googlegroups.com
Would it be possible to extract that using wireshark/tcpdump and send it to me?

When you say it shows 18 you mean in the packet column or somewhere else?

0/1080 is payload bytes/raw bytes.  However for partial streams sometimes the payload bytes is 0
Reply all
Reply to author
Forward
0 new messages