Of course, it is actually even more useful for tethereal users since it can
be scripted.
tethereal -n -r foo.cap.gz -z rpc,rtt,100003,3
Creates a text table after all other output similar to the png from
ethereal.
What the magic numbers 100003 and 3 refer to i leave as an excersise for the
reader.
or
tethereal -n -r foo.cap.gz -z rpc,rtt,100003,3,nfs.fh.hash==0x12345678
(for stats for a specific file, when filtering for nfs.fh.hash, dont
forget to enable the nfs.fhandle_find_... option)
For tethereal powerusers:
This uses magic to create one RPC RTT stat for each and every NFS file that
exists
in the capture:
tethereal -V -n -r foo.cap.gz | grep hash | sed -e "s/.*hash: //" | sort |
uniq | while read HASH ;do
tethereal -n -r foo.cap.gz -o "nfs.fhandle_find_bith_reqrep:TRUE" -z
"rpc,rtt,100003,3,nfs.fh.hash==$HASH" | tail -27
done
This first scans the capture to find all filehandle hashses,
then for each hash it calls tethereal again to generate rtt stats for that
particular file.
tethereal is called once for each hash. performance can be improved if it is
rewritten to only call tethereal once here but with multiple -z commands.
one -z for each hash.
This is quite powerful and something i dont think any other tool can do.
If you are getting ideas about DCE-RPC stats like this. Probably very easy
to implement but first DCERPC must be enhanced to calculate and display the
RTT as ONC-RPC does.
This is trivial and probably consists of like 10-15 lines basically copied
from packet-rpc.c
We could start generating stats for any interesting protocol this way. I
started with ONCRPC since it was easiest and it would automagically cover
some 20-25 interesting higher protocols.
DCERPC would definitely be good to have.
Then specific ones such as DNS, SMB,ARP,ICMP-echo, ...
----- Original Message -----
From: "Jaime Fournier"
> Looks very interesting.
> Any way to generate this stuff from tethereal?