databytes vs bytes

[Craig]

Could you please explain to me the concept of databytes vs. bytes with respect to Moloch?

Thank you!!

[Andy]

bytes = raw bytes on the wire according to libpcap/libnids

databytes = payload bytes inside the tcp/udp/icmp stream.   Doesn't include retransmissions and such, plus currently if libnids didn't like the tcp handshake etc it can be 0.

[Craig]

Okay, that makes more sense.  So if we see a session that shows 0/432 under "bytes" that means that it was unable to parse or recognize a 3-way handshake? 

[Andy]

Yes, or there really was no payload.   Hard to tell, but with only 432 bytes it is very likely that there was no TCP payload data.  Empty TCP frames are usually around 60-66 bytes, so 3 way SYNs followed by FINs could be 432 bytes.  I just found one in our dataset, and it had no payload.  If you open the session in hex and see nothing, then it probably was a bunch of SYNs/ACKs/FINs.  Or just look in wireshark. 

Now if it was > 0/10000 then it would be more likely to be missing a tcp handshake

Andy