Wireshark-bugs: [Wireshark-bugs] [Bug 8647] SUM(tcp.time_delta)tcp.time_delta incorrect

Date: Sun, 19 May 2013 17:49:53 +0000

Comment # 5 on bug 8647 from
OK, I would agree that my grasp on how to use "-z io,stat...." is weak ... I
buy your idea that my incantation wasn't likely to behave the way I wanted as I
was using a display filter rather than a 'stat' filter.

And I would agree that your incantation delivers the results I want.  In fact,
I've sanity-checked the tshark output using Excel:  I filter the trace twice
(tcp.dstport==445 the first time, tcp.srcport==445 the second time), use
'Export Packet Dissections' to produce a text file, import that file into
Excel, and ask Excel to Sum the contents of the DeltaT column.  The result
matches the tshark output perfectly in both cases.

I'm staring at the -z
io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)field [and filter]"
section of http://www.wireshark.org/docs/man-pages/tshark.html and wrestling
with verbiage:  how to communicate the use of this feature more clearly?

CURRENT TEXT
===========================
-z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)field [and filter]"

    NOTE: One important thing to note here is that the field that the
calculation is based on MUST also be part of the filter string or else the
calculation will fail.

    So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that a field can
exist multiple times inside the same packet and will then be counted multiple
times in those packets.
===========================

The key stumbling block for my brain is that the syntax "(field)field [and
filter]" conflates the term 'field' with the term 'filter'.  A more verbose
approach:


PROPOSED TEXT
===========================
-z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter"

NOTE: One important thing to note here is that the filter string is not
optional AND that the field that the calculation is based on MUST also be part
of the filter string.  Otherwise, the calculation will fail.

    So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
io,stat,0.010,AVG(smb.time)smb.time instead.  Also be aware that a field can
exist multiple times inside the same packet and will then be counted multiple
times in those packets.

As another example, consider a more complex filter, which would separate the
Average SMB Time for the Client:
  -z "io,stat,0.010,AVG(smb.time)smb.time and tcp.dstport==445"
from the Average SMB Time for the Server:
  -z "io,stat,0.010,AVG(smb.time)smb.time and tcp.srcport==445"
===========================

So, there's an alternate syntax for the tshark man page ... that being said,
the current syntax conveys the result in a more compact manner, despite its
conflation of the term 'field' with 'filter'.  [And, I note, there is plenty of
room for error on /my part/ here ... recall that I'm new to the -z io,stat
feature set, and I may be misunderstanding something here.  In note that, in
running this against file-copy.pcap, I get results of '0', i.e. smb.time is '0'
regardless of how I slice & dice this.  ]

C:\Temp>tshark -r file-copy.pcap -qz "io,stat,0,AVG(smb.time)smb.time"

===============================================
| IO Statistics                               |
|                                             |
| Interval size: 51.8 secs (dur)              |
| Col 1: Frames and bytes                     |
|     2: AVG(smb.time)smb.time                |
|---------------------------------------------|
|              |1                  |2         |
| Interval     | Frames |   Bytes  |    AVG   |
|---------------------------------------------|
|  0.0 <> 51.8 |  18972 | 26654645 | 0.000000 |
===============================================

C:\Temp>tshark -r file-copy.pcap -qz "io,stat,0,AVG(smb.time)smb.time and
tcp.ds
tport==445"

=====================================================
| IO Statistics                                     |
|                                                   |
| Interval size: 51.8 secs (dur)                    |
| Col 1: Frames and bytes                           |
|     2: AVG(smb.time)smb.time and tcp.dstport==445 |
|---------------------------------------------------|
|              |1                  |2         |     |
| Interval     | Frames |   Bytes  |    AVG   |     |
|---------------------------------------------|     |
|  0.0 <> 51.8 |  18972 | 26654645 | 0.000000 |     |
=====================================================

C:\Temp>


By the way, I'm switched versions:
C:\Temp>tshark -v
TShark 1.10.0rc1 (SVN Rev 49064 from /trunk-1.10)
[...]
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
Intel(R) Core(TM)2 Duo CPU     E4600  @ 2.40GHz, with 8061MB of physical
memory.

Built using Microsoft Visual C++ 10.0 build 40219

C:\Temp> 

So, there's my two bits on how we might improve the man page.

--sk


You are receiving this mail because:
  • You are watching all bug changes.