Hi All,
I'm probably repeating something that has already been solved before but
I've been writing a simple tethereal to .CSV utility in Perl. This only
works with IP data. Everything ways going well until I discovered a but
(that wasn't my own this time :-).
As an example here's the CSV file from a connection by IE4 to www.zing.org
via our proxy server.
1,948067212.8484,406,TCP,128.150.10.6,172.20.1.2,1815,80
2,948067212.9686,40,TCP,172.20.1.2,128.150.10.6,80,1815
3,948067213.3692,251,TCP,172.20.1.2,128.150.10.6,80,1815
4,948067213.3892,465,TCP,128.150.10.6,172.20.1.2,1814,80
5,948067213.3894,448,TCP,128.150.10.6,172.20.1.2,1815,80
6,948067213.5094,40,TCP,172.20.1.2,128.150.10.6,80,1814
7,948067213.5094,40,TCP,172.20.1.2,128.150.10.6,80,1815
8,948067213.6696,249,TCP,172.20.1.2,128.150.10.6,80,1814
9,948067213.6697,457,TCP,128.150.10.6,172.20.1.2,1814,80
10,948067213.8399,40,TCP,172.20.1.2,128.150.10.6,80,1814
11,948067213.93,249,TCP,172.20.1.2,128.150.10.6,80,1815
12,948067213.95,249,TCP,172.20.1.2,128.150.10.6,80,1814
13,948067214.1203,40,TCP,128.150.10.6,172.20.1.2,1814,80
14,948067214.1203,40,TCP,128.150.10.6,172.20.1.2,1815,80
Here's the script
<<tethereal2csv.pl>>
The problem is that this trace was taken at 9:30pm today (BST), yet
Tethereal reports this it arrived at soon after midnight. The date is
correct but not the time. Ethereal reports the same time as Tethereal.
Netmon reports the correct time though so the data is in the trace file. I
presume that tethereal is in fact reporting the time after the beginning of
the trace before the first packet and adding that to the trace file's date?
[Here's Tethereal's report of the first frame]
Frame 1 (428 on wire, 428 captured)
Arrival Time: Jul 17, 2000 00:00:12.8484
Time delta from previous packet: 0.000000 seconds
Frame Number: 1
Packet Length: 428 bytes
Capture Length: 428 bytes
Here's my details:
C:\>tethereal -v
tethereal 0.8.10, with GTK+ 1.3.0, without libpcap, without libz, without
SNMP
C:\>ver
Windows NT Version 4.0
==========================================================================
The second part of this email is a request for advice on how to develop a
thread analysis script based on the thethereal2csv.pl script. The above
example serves as an example of problem I have. There are 4 HTTP GET's
required to download www.zing.org's home page, yet as the TCP ports 1814 and
1815 are reused, this script returns only two. Is it more "correct" to
report two threads or four?
Here's the output and the code
Client,Server,Client Port,Server Port,Min Frame,Max Frame,Min Time,Max
Time,Bytes,Frame Count,Protocol
128.150.10.6,172.20.1.2,1815,80,1,14,948067212.8484,948067214.1203,1474,7,TC
P
128.150.10.6,172.20.1.2,1814,80,4,13,948067213.3892,948067214.1203,1540,7,TC
P
<<thread.pl>>
I look forward to any comments you might have
Alistair
> --------------------------------------------------------------------
> Alistair McGlinchy, alistair.mcglinchy@xxxxxxxxxxxxxxxxxxxxx
> Sizing and Performance, Central IT ext. 5012, ph +44 0 20-7268-5012
> Marks and Spencer (Stockley Park) fx +44 0 20-7268-5721
> 1SW, 3 Longwalk Rd, Stockley Park, Uxbridge UB11 1AW, United Kingdom
>
>
__________________________________________________________________________________________
Registered Office:
Marks and Spencer plc
Michael House, Baker Street,
London, W1A 1DN
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
www.marks-and-spencer.com
This e-mail is Confidential. If you received it by mistake, please let us know and then
delete it from your system; you should not copy, disclose, or distribute its contents to
anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.
___________________________________________________________________________________________
Attachment:
tethereal2csv.pl
Description: Binary data
Attachment:
thread.pl
Description: Binary data