Wireshark-users: [Wireshark-users] Stats Inconsistencies
From: Alec Joseph Rivera <agi@xxxxxx>
Date: Mon, 24 Sep 2007 11:27:16 +0800
Hello, I've been doing some analyses for a company. i ran across
tshark's maximum of 2gb, which was very unfortunate since the data given
to me is about 10gb/day.
What I did was process the data in manageable chunks, then just piece it
back in a script. With the smallest set I found some inconsistencies
with the results, particularly with the deep level details.
Anyone shed some light please...
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Script Result
0 frame f:3934722 b:614379823
1 eth f:3934722 b:614379823
2 arp f:214138 b:12840036
2 ip f:3618514 b:589763205
3 bootp f:72 b:24624
3 data f:11368 b:1399242
4 http f:2 b:406
5 data-text-lines f:1 b:79
3 data-text-lines f:181 b:126908
4 http f:59 b:36360
3 gtp f:13 b:5341
3 http f:10758 b:4692732
4 data-text-lines f:269 b:175587
5 http f:17 b:11648
4 http f:79 b:10941
5 data-text-lines f:28 b:4257
6 http f:8 b:432
5 http f:21 b:2800
5 xml f:1 b:611
4 image-gif f:1 b:100
4 media f:5 b:4486
3 icmp f:742420 b:53362658
3 igmp f:122 b:6524
3 nbns f:291377 b:26818873
3 nbss f:105 b:70120
4 smb f:105 b:70120
5 nbss f:12 b:7804
3 ntp f:1003 b:90270
3 pgsql f:3483 b:384203
4 pgsql f:234 b:89643
5 pgsql f:234 b:89643
6 pgsql f:106 b:41400
3 pop f:16842 b:21521221
3 pptp f:29 b:15640
3 rmi f:2 b:1698
3 smtp f:25297 b:34942586
3 ssl f:22 b:6657
3 tcp f:656372 b:326883683
4 data f:36858 b:15489110
4 data-text-lines f:11 b:594
5 http f:7 b:378
4 dcerpc f:2 b:1755
5 data f:1 b:241
5 malformed f:1 b:1514
6 dcerpc.cn_deseg_req f:1 b:1514
4 dcerpc.cn_deseg_req f:1 b:1514
4 etheric f:22 b:4339
4 gift f:44 b:42749
4 http f:5029 b:2709366
5 data-text-lines f:1105 b:856545
6 http f:164 b:95930
5 http f:94 b:30281
6 data-text-lines f:3 b:928
6 http f:37 b:14698
7 data-text-lines f:5 b:3142
7 http f:8 b:1698
7 xml f:2 b:108
5 xml f:146 b:56146
4 icap f:14 b:12549
4 media f:1 b:54
4 msnms f:3 b:1939
4 nbss f:89850 b:18312895
5 data f:705 b:144613
5 dcerpc f:30 b:5700
5 nbss f:28 b:16033
6 smb f:28 b:16033
5 pipe f:34 b:7611
6 dcerpc f:30 b:6840
6 lanman f:4 b:771
5 smb f:89159 b:17725231
6 data f:436 b:26744
6 dcerpc f:16 b:3040
6 nbss f:464 b:251061
7 smb f:383 b:195626
6 pipe f:16 b:3616
7 dcerpc f:16 b:3616
4 pgsql f:19435 b:2016931
5 pgsql f:4482 b:733660
6 pgsql f:981 b:437977
7 pgsql f:392 b:122154
4 pop f:94144 b:118055345
4 rmi f:4 b:3396
4 smpp f:1 b:1514
5 data f:1 b:1514
4 smtp f:23986 b:31712584
4 socks f:58 b:8701
4 ssh f:6381 b:803747
4 ssl f:360 b:189643
5 malformed f:96 b:136298
4 tcp.segments f:2633 b:1247730
5 http f:776 b:478525
6 data-text-lines f:771 b:475408
7 http f:11 b:7071
6 image-gif f:1 b:1098
6 media f:1 b:448
5 media f:3 b:1571
5 pgsql f:113 b:63266
6 pgsql f:52 b:58447
7 pgsql f:52 b:58447
4 telnet f:57706 b:28341521
5 malformed f:1 b:55
4 tpkt f:2 b:789
4 xml f:53 b:26896
3 tcp.segments f:549 b:238804
4 http f:137 b:58258
5 data-text-lines f:134 b:56932
6 http f:7 b:4315
4 media f:3 b:1326
4 pgsql f:86 b:36274
5 pgsql f:49 b:33351
6 pgsql f:49 b:33351
3 udp f:2219600 b:209510340
4 bootp f:30 b:10260
4 data f:4412 b:383805
4 dns f:370813 b:34266576
4 http f:2560 b:1101405
4 nbdgm f:11128 b:2775051
5 smb f:11128 b:2775051
6 mailslot f:11128 b:2775051
7 browser f:10608 b:2579098
7 data f:348 b:151376
7 smb_netlogon f:172 b:44577
4 nbns f:1499073 b:137978638
4 ntp f:256 b:23040
4 rip f:20510 b:1353660
3 xml f:34 b:14182
2 ipx f:9107 b:1802705
3 ipxrip f:88 b:5280
3 nmpi f:8967 b:1794305
4 smb f:7304 b:1603060
5 mailslot f:7304 b:1603060
6 browser f:7176 b:1570298
6 smb_netlogon f:128 b:32762
2 ipxrip f:38 b:2280
2 ipxsap f:14 b:840
2 llc f:45075 b:8356882
3 cdp f:18884 b:3965873
3 ipx f:2466 b:493793
4 nmpi f:2460 b:493433
5 smb f:2035 b:444558
6 mailslot f:2035 b:444558
7 browser f:2005 b:436905
7 smb_netlogon f:30 b:7653
3 ipxrip f:6 b:360
3 netbios f:11620 b:1658532
4 smb f:9226 b:1512498
5 mailslot f:9226 b:1512498
6 browser f:9098 b:1486648
6 smb_netlogon f:128 b:25850
2 loop f:56907 b:3414420
3 data f:56907 b:3414420
2 netbios f:3086 b:441259
3 smb f:2491 b:404964
4 mailslot f:2491 b:404964
5 browser f:2461 b:398931
5 smb_netlogon f:30 b:6033
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
tshark Result
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:3934722 bytes:614379823
eth frames:3934722 bytes:614379823
ip frames:3618514 bytes:589763205
tcp frames:656372 bytes:326883683
ssh frames:6381 bytes:803747
nbss frames:90166 bytes:17935333
smb frames:88040 bytes:17268744
nbss frames:411 bytes:211659
smb frames:411 bytes:211659
nbss frames:85 bytes:61176
smb frames:85 bytes:61176
nbss frames:27 bytes:22611
smb frames:27 bytes:22611
nbss frames:3 bytes:2716
smb frames:3 bytes:2716
dcerpc frames:46 bytes:8740
pipe frames:50 bytes:11227
dcerpc frames:46 bytes:10456
srvsvc frames:46 bytes:10456
lanman frames:4 bytes:771
data frames:989 bytes:201796
data frames:435 bytes:562252
telnet frames:57847 bytes:28349276
malformed frames:1 bytes:55
pop frames:110986 bytes:139576566
http frames:6365 bytes:3397470
data-text-lines frames:1250 bytes:1077560
http frames:198 bytes:141397
http frames:222 bytes:51459
data-text-lines frames:88 bytes:14345
http frames:57 bytes:3351
data-text-lines frames:19 bytes:1026
http frames:16 bytes:864
data-text-lines frames:9 bytes:486
http frames:5 bytes:270
http frames:3 bytes:162
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
media frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:6 bytes:324
http frames:4 bytes:216
data-text-lines frames:2 bytes:108
http frames:2 bytes:108
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
media frames:1 bytes:54
...http frames:1 bytes:54
http frames:2 bytes:108
data-text-lines frames:2 bytes:108
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
media frames:1 bytes:54
media frames:1 bytes:54
http frames:20 bytes:1080
http frames:12 bytes:648
http frames:5 bytes:270
data-text-lines frames:5 bytes:270
http frames:3 bytes:162
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
...media frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
data-text-lines frames:7 bytes:378
http frames:4 bytes:216
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
...media frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
http frames:2 bytes:108
http frames:2 bytes:108
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
...http frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
data-text-lines frames:3 bytes:162
http frames:2 bytes:108
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
...media frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
http frames:113 bytes:35707
data-text-lines frames:32 bytes:9132
http frames:18 bytes:2413
data-text-lines frames:8 bytes:920
http frames:3 bytes:650
media frames:2 bytes:596
http frames:2 bytes:596
data-text-lines frames:1 bytes:542
http frames:1 bytes:542
data-text-lines frames:1 bytes:542
http frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
...http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
media frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:7 bytes:1331
http frames:5 bytes:1223
http frames:3 bytes:1115
data-text-lines frames:3 bytes:1115
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
...http frames:1 bytes:54
...http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
data-text-lines frames:2 bytes:108
http frames:1 bytes:54
http frames:1 bytes:54
data-text-lines frames:1 bytes:54
http frames:1 bytes:54
media frames:1 bytes:54
http frames:1 bytes:54
...data-text-lines frames:1 bytes:54
media frames:2 bytes:108
http frames:1 bytes:54
http frames:76 bytes:25748
data-text-lines frames:11 bytes:1382
http frames:1 bytes:54
http frames:53 bytes:23718
http frames:23 bytes:16019
data-text-lines frames:5 bytes:4605
http frames:18 bytes:11414
data-text-lines frames:7 bytes:3143
http frames:11 bytes:8271
http frames:7 bytes:6619
http frames:7 bytes:6619
http frames:5 bytes:4578
http frames:3 bytes:4470
data-text-lines frames:2 bytes:2980
http frames:1 bytes:1490
...data-text-lines frames:1 bytes:1490
data-text-lines frames:2 bytes:2041
data-text-lines frames:3 bytes:1598
data-text-lines frames:18 bytes:6907
http frames:1 bytes:54
xml frames:3 bytes:719
http frames:1 bytes:611
data-text-lines frames:1 bytes:611
media frames:2 bytes:381
xml frames:233 bytes:97224
ssl frames:355 bytes:189044
malformed frames:96 bytes:136298
tcp.segments frames:3176 bytes:1484262
http frames:1157 bytes:612365
data-text-lines frames:1143 bytes:603336
http frames:18 bytes:11386
media frames:12 bytes:7831
image-gif frames:2 bytes:1198
pgsql frames:535 bytes:283350
pgsql frames:277 bytes:262063
pgsql frames:277 bytes:262063
pgsql frames:204 bytes:242756
pgsql frames:140 bytes:186316
pgsql frames:116 bytes:163952
pgsql frames:68 bytes:98683
pgsql frames:17 bytes:23313
pgsql frames:8 bytes:11872
nbss frames:1224 bytes:526607
smb frames:1224 bytes:526607
nbss frames:93 bytes:63239
smb frames:93 bytes:63239
nbss frames:52 bytes:36740
smb frames:52 bytes:36740
nbss frames:7 bytes:5652
smb frames:7 bytes:5652
data frames:436 bytes:26744
dcerpc frames:1 bytes:241
data frames:1 bytes:241
smpp frames:1 bytes:1514
data frames:1 bytes:1514
data frames:1 bytes:79
http frames:1 bytes:79
data-text-lines frames:1 bytes:79
smtp frames:49283 bytes:66655170
pgsql frames:19115 bytes:1911213
pgsql frames:1073 bytes:346927
pgsql frames:1026 bytes:343044
pgsql frames:491 bytes:154720
pgsql frames:257 bytes:91416
pgsql frames:245 bytes:75497
pgsql frames:244 bytes:74402
pgsql frames:244 bytes:74402
pgsql frames:46 bytes:31832
pgsql frames:46 bytes:31832
pgsql frames:46 bytes:31832
pgsql frames:46 bytes:31832
pgsql frames:46 bytes:31832
...pgsql frames:46 bytes:31832
...pgsql frames:46 bytes:31832
...pgsql frames:46 bytes:31832
...pgsql frames:46 bytes:31832
...pgsql frames:46 bytes:31832
data frames:38424 bytes:15511513
http frames:1 bytes:327
etheric frames:22 bytes:4339
icap frames:14 bytes:12549
msnms frames:3 bytes:1939
dcerpc.cn_deseg_req frames:1 bytes:1514
dcerpc frames:1 bytes:1514
malformed frames:1 bytes:1514
dcerpc.cn_deseg_req frames:1 bytes:1514
rmi frames:6 bytes:5094
ssl frames:27 bytes:7256
socks frames:58 bytes:8701
gift frames:44 bytes:42749
tpkt frames:2 bytes:789
pptp frames:29 bytes:15640
gtp frames:13 bytes:5341
udp frames:2219600 bytes:209510340
nbns frames:1790450 bytes:164797511
dns frames:370813 bytes:34266576
data frames:13767 bytes:1197708
rip frames:20510 bytes:1353660
bootp frames:102 bytes:34884
nbdgm frames:11128 bytes:2775051
smb frames:11128 bytes:2775051
mailslot frames:11128 bytes:2775051
browser frames:10608 bytes:2579098
data frames:348 bytes:151376
smb_netlogon frames:172 bytes:44577
ntp frames:1259 bytes:113310
http frames:11571 bytes:4971640
icmp frames:742420 bytes:53362658
igmp frames:122 bytes:6524
arp frames:214138 bytes:12840036
llc frames:45075 bytes:8356882
cdp frames:18884 bytes:3965873
netbios frames:14706 bytes:2099791
smb frames:11717 bytes:1917462
mailslot frames:11717 bytes:1917462
browser frames:11559 bytes:1885579
smb_netlogon frames:158 bytes:31883
ipx frames:11485 bytes:2291218
nmpi frames:11427 bytes:2287738
smb frames:9339 bytes:2047618
mailslot frames:9339 bytes:2047618
browser frames:9181 bytes:2007203
smb_netlogon frames:158 bytes:40415
ipxrip frames:44 bytes:2640
ipxsap frames:14 bytes:840
loop frames:56907 bytes:3414420
data frames:56907 bytes:3414420
ipx frames:88 bytes:5280
ipxrip frames:88 bytes:5280
===================================================================
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
Alec Joseph Rivera
F S 3 Consulting Inc.
http://www.fs3.ph
Attachment:
signature.asc
Description: This is a digitally signed message part
- Prev by Date: Re: [Wireshark-users] Newbie question
- Next by Date: [Wireshark-users] SNMP Object Identifier display filter
- Previous by thread: Re: [Wireshark-users] Newbie question
- Next by thread: [Wireshark-users] SNMP Object Identifier display filter
- Index(es):