I want to use Winpcap to capture all network packets going through a Gigabit NIC of a server.
Assuming that I am able to utilize the network link up to 100%, the maximum network speed is 1000Mbps. If we exclude the TCP/IP headers, the maximum TCP data rate should be roughly 940Mbps.
Let's say I send a 1GB file through the NIC at 940Mbps using TCP destination port 6000. I use Winpcap to capture all network packets going through the NIC and then dump it to a pcap file. If I use Wireshark to analyze the pcap file and then check the sum of packet size for all network packets sent to TCP port 6000, am I able to get exactly 1GB from the pcap file?
Thanks.
Assuming that you are able to utilize the network link up to 100%, the maximum network speed is NOT 1Gbps. It's less due to inter frame gaps and checksums. This is even before you start taking into account packet headers (as you correctly mentioned in your original question).
Also as implied by a comment above, a typical machine will struggle to generate packets at wirespeed, let alone generate AND capture packets at the same time at wirespeed. The one method I use to generate packets at wirespeed (on a linux machine) is crafting 1500 bytes packets and using tcpreplay. Using this method, I can get very close to wirespeed, but this utilizes the CPU ~100%, unless you are on a very very fast machine.
Having said all that, there's nothing wrong with your plan to determine the amount of data sent to TCP port 6000 by capturing and viewing with wireshark. (Make sure you ONLY capture TCP port 6000, rather than all packets on the interface.) You just need to ensure that the CPU is not loaded 100% such that the packet capture isn't able to process all packets. But then, this is true regardless of which method you use.