Comment # 4
on bug 8647
from Evan Huus
OK, so what's going on is that the tshark display filter (-R or -Y depending on
your version) doesn't affect the packets passed to the statistics tap; it only
affects the packets displayed (of which there are none anyways because of -q).
What you want is to build the filter into the statistics tap instead. The
following works for me:
$ tshark -r ~/Downloads/file-copy.pcap -qz
"io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==445"
=================================================================
| IO Statistics |
| |
| Interval size: 51.8 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==445 |
|---------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|----------------------------------------------| |
| 0.0 <> 51.8 | 18972 | 26654645 | 49.274044 | |
=================================================================
$ tshark -r ~/Downloads/file-copy.pcap -qz
"io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==445"
=================================================================
| IO Statistics |
| |
| Interval size: 51.8 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==445 |
|---------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|---------------------------------------------| |
| 0.0 <> 51.8 | 18972 | 26654645 | 2.557401 | |
=================================================================
These results looks like they match what you were expecting. Does this solve
the problem?
Evan
P.S. If this is the answer then I would welcome a suggestion on where we should
improve the documentation for it. I haven't spent much time on this particular
feature, but I admit it seems confusing...
You are receiving this mail because:
- You are watching all bug changes.