Wireshark-users: Re: [Wireshark-users] wireshark statistic function (sum)

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 8 Apr 2008 14:46:44 +0200
On Tue, Apr 08, 2008 at 02:16:36PM +0200, Michael.Loetzsch@xxxxxxxxxxxxxxx wrote:
> I need help regarding wireshark statistic function. I would like to 
> analyze the tcp-retransmissions in relation to the time. Therefore 
> I wrote a script with the following command:
>  
> tshark -r example.pcap -qz io,stat,1,0,sum(tcp.analysis.retransmission)"ip.addr==10.10.10.10" > stat.txt
>  
> The first issue: There is a difference between "sum()" and "SUM()":

sum is considered to be a fieldname, SUM() is considered to be one of the
advanced statistics operators.

> tshark: tcp.analysis.retransmission doesn't have integral values, so SUM(*) 
> calculations are not supported on it.
> ...with "sum()" and tshark 0.99.7 I got some stats.

The field "tcp.analysis.retransmission" is a generated field and does
not have any value. It is either there or not. The operator SUM() wants
to make a sum of the value of the field supplied to it over the interval.

You want to make use of the COUNT() operator when you want to *count*
retransmissions.

> The second issue: The releases 0.99.8 and 1.0 don't work neither 
> with "sum()" nor "SUM()": 
> tshark: Couldn't register io,stat tap: Filter "sum(tcp.analysis.retransmission)ip.addr==10.10.10.10" is invalid - Syntax error.
>  
> Could anybody help me or explain this issue?

I think you need to use something like:

$ tshark -r sharkfest-1.cap -qz io,stat,120,"ip.addr==194.134.109.48 && tcp","COUNT(tcp.analysis.retransmission)ip.addr==194.134.109.48 && tcp.analysis.retransmission"

===================================================================
IO Statistics
Interval: 120.000 secs
Column #0: ip.addr==194.134.109.48 && tcp
Column #1: COUNT(tcp.analysis.retransmission)ip.addr==194.134.109.48 && tcp.analysis.retransmission
                |   Column #0    |   Column #1
Time            |frames|  bytes  |          COUNT
000.000-120.000       0         0                0
120.000-240.000       0         0                0
240.000-360.000     346    109638                9
360.000-480.000     886    311521               15
480.000-600.000     174     95568                5
600.000-720.000     147     56876                1
720.000-840.000     254    112708                4
840.000-960.000      42     23762                2
960.000-1080.000       0         0                0
1080.000-1200.000      13      2192                0
1200.000-1320.000     326    155346                4
===================================================================

$


BEWARE:

"One important thing to note here is that the field that the calculation 
is based on MUST also be part of the filter string or else the calculation 
will fail."

(from the manpage of tshark)

Hope this helps,
Cheers,
     Sake