Ethereal-users: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting info?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Sat, 11 Jan 2003 11:35:23 +1100
----- Original Message -----
From: "Ian Schorr"
Sent: Saturday, January 11, 2003 7:35 AM
Subject: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting info?


> As long as we're talking about new features =)
>
> How about reporting of Application Response Time within the decode pane?
>   (ART as in end-of-call to beginning-of-response delta times, not
> call-to-next-UDP-segment-from-server or call-to-TCP-ACK as Sniffer
> calculates it =)
>
> Graphs would be nice, but ideally I'd like to be able to add a column to
> the decode pane that displays ART calculations.  Better yet, columns for
> call-to-response, end-of-response to beginning-of-next-call, number of
> calls outstanding (unanswered by the server), etc.  VERY useful
> statistics when trying to troubleshoot any kind of performance issue.
>
> Is this possible now, and I just don't realize it?
>

Yes.
All ONC-RPC and DCE-RPC based protocols that ethereal supports will put ART
value in teh decode pane.
SMB packets will also put ART value in the decode pane.

These ART values are the difference in time between the request and response
packet as ethereal saw the packets and is not calculated on lower layer ack
packets.
(TCP time to acvk values can be calculated for all TCP sessions if one also
enables the option:
TCP/Analyze TCP seuqnce numbers.
This option for TCP is disabled by default since it creates extra state
inside ehtereal and thus requires more
runtime memory and makes ethereal (unnoticeable) slower)
All the ART times are always enabled though and can not be disabled.


Load an SMB capture into ethereal and look in the SMB header for a reply
packet:
IF ethereal has been able to match the reply to a request packet it will
have these two lines in
the decode pane under the SMB Header
Response to: x
Time from request:   0.xxx seconds

Rightclicking on the Response to: line will offer you the option to GoTo the
request packet.
The Time from request line has a display filter name    smb.time
and you can filter for example
   smb.time>0.020
if you want to see say all SMB response packets where the ART took more than
20ms.


Same thing is available for all ONC-RPC (NFS, NLM, ... )and DCE-RPC (SAMR,
NETLOGON,...),
and works regardless of what transport is used.   (If a tool base this
hardcoded on TCP-ACK values
this would be a bug making the feature useless and time to invoke the
support contract to get it fixed.)

There may be other protocols as well where this is also implemented.
Probably are but I dont remember
which off the top of my head.

If this feature is missing from a request/response dissector in ethereal it
is very easy to add it.
It mainly consists of adding state tracking to match requests with responses
and keep track of timestamps.
Good examples on how this is done can be found in say packet-rpc.c



If you want ethereal to produce a graph over how the ART changes over time
this can be done as well
using IO-Stat graphing.   see man page for ethereal.
I myself from time to time use this to do
Select Graph type   Advanced
Specify  filter as nfs&&rpc.time    specify field as rpc.time   hten specify
MAX/MIN/AVG respectively
for the three first graphs.
This provides a simple graph where MAX() nfs ART,   MIN() nfs ART and AVG()
nfs ART
will be calculated for each measurement interval and plotted.
This provides a simple way to see how MAX/MIN/AVG changes over time.

MAX/MIN/AVG for time fields are always plotted in units of ms.

If you do this, please donate a nice graph to the ethereal web page.



If you want to process and produce the graphs in external packages you can
do that as well using tethereal.
Run tethereal using -z proto,colinfo,...   option (see manpage)  to put say
smb.time on the output line for each packet (where it is available)   and
maybe whatever other fields you need.
then just use a script to exctract whatever data you need and want from
tethereal output.



Plead for contribution:
Oh, perhaps if you really find this useful you might be willing and have
time to put together a brief nice
user manual on how to do ART filtering and graphing in ethereal?
Many would find this very useful features if they just know how it works.
I could do it myself but, english is not my first language and i just can
not write good and consice
texts for human readers