Ethereal-users: Re: [Ethereal-users] IO Graphs - SUM & Count

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Wed, 7 Apr 2004 03:31:29 +1000
>----- Original Message ----- 
>From: Keith French
>To: ethereal-users@xxxxxxxxxxxx
>Sent: Saturday, April 03, 2004 6:52 AM
>Subject: [Ethereal-users] IO Graphs - SUM & Count
>
>
>In Ethereal Ver 0.10.3 if you display the IO Graph and use the Advanced
option on the Y axis, the manual doesn't seem to explain what the SUM &
>COUNT options are trying to do. As an example if you set the filter on the
graph to:-
>
>(ip.src == 128.101.80.131) && (tcp.dstport == 33543)
>
>and the COUNT to:-
>
>tcp.dstport
>
>I assume the graph just plots the number of TCP packets whose destination
port is set to 33543 from IP address 128.101.80.131 against time?

Yes,  since the field tcp.dstport only occurs once in each packet, and you
filter for packets only going that port it will.
(The exception would be if you tunnel tcp ontop of something over tcp sot
aht you will have multiple 'tcp.dstport' in each packet, then they would be
coutned twice)

>If you now change the same graph from COUNT to SUM with the filter & fields
the same as before, what is this plotting?

Then it will plot the SUM of the values of all the 'tcp.dstport' fields, and
since they all, due to the filter, have the value 33543 then it
would just be the same as   33543*COUNT(tcp.dstport)


Use COUNT() when you want to plot how many times a certain item occurs in
the capture. Note that some fields may occur multiple times in the same
packet.

Use SUM() if you want to plot the sum of the values for all these fields
added up.

COUNT() is sometimes useful to plot the number of duplicate acks and
retransmissions in a capture ('tcp.analysis.retransmission' and
'tcp.analysis.duplicate_ack')
SUM() is useful to plot things like tcp.length and similar when we want to
see the sum of how many payload bytes are passed across
tcp in a given time interval.


(I agree that the examples above are 'constructed' and that SUM/COUNT might
not really be as useful in real life as the incredibly useful and incredibly
powerful  MIN/MAX/AVG and especially LOAD calculations when applied to say
smb.time or other response times)

>
>Keith French




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.644 / Virus Database: 412 - Release Date: 26/03/2004



_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users