Tcpdump

Hi all, I have a bash script to retrieve the date/time source ip/port destination ip/port and size of packet from tcpdump and insert it into a sql table.

Code:

---

#!/bin/bash
while read data; do
        packet_time=`expr "$data" : '\([0-9:]*\)'`
        origin=`expr "$data" : '.*IP \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)'`
        origin_port=`expr "$data" : '.*IP [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.\([a-zA-Z0-9]*\)'`
        destination=`expr "$data" : '.* > \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)'`
        destination_port=`expr "$data" : '.* > [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.\([a-zA-Z0-9]*\)'`
        packet_size=`expr "$data" : '.*: . [0-9]*\:[0-9]*.\([0-9]*\)'`
        packet_date=`date '+%Y-%m-%d'`
        if [ "$packet_size" != "" ]
        then
                echo "$packet_date $packet_time :: $origin:$origin_port -> $destination:$destination_port -- SIZE: $packet_size"
                echo `mysql -e "INSERT INTO PacketMon.MonData (date, time,origin,origin_port,destination,destination_port,size) VALUES ('$packet_date','$packet_time','$origin','$origin_port','$destination','$destination_port',$packet_size);"`
        fi
done

---

Problem is that sum(size) query for a give period and src/dst does not match expected values, it is much smaller. I have read and reread the man page but I cant see what I am missing.

The script is executed with;

Code:

---

tcpdump -n -i eth1 | ./PacketMon

---