Wireshark-users: Re: [Wireshark-users] tshark protocol hierarchy statistics frames count

Date: Wed, 20 May 2009 16:51:13 +0200
Hi Florent,

I think the answer is in the User's Guide:
http://www.wireshark.org/docs/wsug_html_chunked/ChStatHierarchy.html
Note! 
Packets will usually contain multiple protocols, so more than one protocol
will be counted for each packet. Example: In the screenshot IP has 99,17%
and TCP 85,83% (which is together much more than 100%). 
 
Note! 
Protocol layers can consist of packets that won't contain any higher layer
protocol, so the sum of all higher layer packets may not sum up to the protocols
packet count. Example: In the screenshot TCP has 85,83% but the sum of the
subprotocols (HTTP, ...) is much less. This may be caused by TCP protocol
overhead, e.g. TCP ACK packets won't be counted as packets of the higher
layer). 
 
Note! 
A single packet can contain the same protocol more than once. In this case,
the protocol is counted more than once. For example: in some tunneling configurations
the IP layer can appear twice. 
 
Regards
Joan


On Wed, 20 May 2009 13:55:57 +0200 Florent Deybach wrote:
>Hello everybody,
>
>I am using tshark to get the protocol hierarchy on several PCAP files
>with the following command:
>
>For example:
>
>#tshark.exe -qz io,phs -r file-00018.cap
>
>The output is:
>
>=============================================
>Protocol Hierarchy Statistics
>Filter: frame
>
>frame                                    frames:26721 bytes:21836862
>  eth                                    frames:26721 bytes:21836862
>    ip                                   frames:26721 bytes:21836862
>      tcp                                frames:25921 bytes:21675514
>        http                             frames:11289 bytes:13681015
>          short                          frames:11261 bytes:13679287
>        data                             frames:765 bytes:232183
>        ssl                              frames:5330 bytes:5761777
>          short                          frames:4713 bytes:4972534
>          unreassembled                  frames:597 bytes:787991
>        short                            frames:1479 bytes:1337465
>        tpkt                             frames:182 bytes:39858
>        nbss                             frames:178 bytes:163832
>          short                          frames:75 bytes:31104
>          data                           frames:2 bytes:1510
>        dns                              frames:32 bytes:12805
>          short                          frames:32 bytes:12805
>        smtp                             frames:59 bytes:27203
>        rmi                              frames:14 bytes:5110
>        unreassembled                    frames:24 bytes:4000
>          dns                            frames:1 bytes:1423
>            short                        frames:1 bytes:1423
>        ssh                              frames:1 bytes:75
>          short                          frames:1 bytes:75
>        gtp                              frames:1 bytes:206
>        ldap                             frames:5 bytes:3204
>          short                          frames:4 bytes:3136
>      udp                                frames:774 bytes:159268
>        dns                              frames:711 bytes:145595
>          short                          frames:687 bytes:144149
>        kerberos                         frames:14 bytes:7435
>          short                          frames:14 bytes:7435
>        ntp                              frames:17 bytes:1530
>          short                          frames:17 bytes:1530
>        bootp                            frames:3 bytes:1026
>          short                          frames:3 bytes:1026
>        data                             frames:8 bytes:480
>        nbns                             frames:9 bytes:1361
>          short                          frames:8 bytes:1263
>        snmp                             frames:8 bytes:974
>          short                          frames:6 bytes:732
>        cldap                            frames:1 bytes:237
>          short                          frames:1 bytes:237
>        malformed                        frames:1 bytes:60
>        nbdgm                            frames:2 bytes:570
>          short                          frames:2 bytes:570
>      icmp                               frames:25 bytes:1926
>        short                            frames:16 bytes:1256
>      esp                                frames:1 bytes:154
>============================================
>
>
>As you can see, I captured the frames with tcpdump limiting the
>captured frame size to 68 bytes so there are several frames that are
>truncated.
>That is why you can see under almost each protocol a "short" line.
>
>The problem is that tshark seems to "forget" (or cannot classify)
>several frames in the TCP frame count. But only in the TCP frames, not
>UDPs.
>
>When you take the total of TCP frames: "frames:25921", the sum of each
>protocol in the TCP column immediately "under" the TCP column (without
>"short") is only 19359
>
>http                  frames:11289 bytes:13681015
>data                 frames:765bytes:232183
>ssl                   frames:5330bytes:5761777
>short                frames:1479bytes:1337465
>tpkt                  frames:182 bytes:39858
>nbss                frames:178 bytes:163832
>dns                  frames:32 bytes:12805
>smtp                frames:59 bytes:27203
>rmi                   frames:14 bytes:5110
>unreassembled	frames:24 bytes:4000
>ssh	                frames:1 bytes:75
>gtp	                frames:1 bytes:206
>ldap	                frames:5 bytes:3204
>
>So there are 25921 - 19359 = 6562 missing frames.
>
>I have the same behavior with 20 other files containing each 2.000.000
>frames, there are 500.000 TCP frames that are not counted on
>average....
>
>Do you see where the problem is? (I hope I made myself clear ;))
>
>Thanks!
>
>Florent
>___________________________________________________________________________
>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives:    http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe