I use the command below to get inter arrival time of packets and length of packets:
tcpdump -r example.pcap -n -ttt > result.txt
The result is something like this:
00:00:00.000545 IP src-ip.52871 > dst-ip.39461: Flags [P.], seq 1:69, ack 1, win 16698, length 68
The length that tcpdump computes is only limited to application layer of packet and i want it to compute layers 3(IP) , 4(TCP or UDP) and 5(Application) of packet for packet size.
What command should i use?
Use the -v option and it will show additional details. In the example below, length 64 is the length of the entire frame, including the layer 3 and 4 headers.
18:15:21.158633 IP (tos 0x20, ttl 45, id 60118, offset 0, flags [DF], proto TCP (6), length 64)
c-66-30-195-209.hsd1.ma.comcast.net.55297 > 10.6.117.127.macromedia-fcs: Flags [S], cksum 0x5a12 (correct), seq 4051274653, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 925877152 ecr 0,sackOK,eol], length 0
You can also use -e to include the Ethernet header, and then the length will include that was well.
