Wireshark-users: [Wireshark-users] Using Tshark to Total Packet Sizes -> help needed

From: "Phillips, Christopher M" <cmphil@xxxxxxxxxxx>
Date: Tue, 16 Jun 2009 11:57:45 +0100

Hello,

 

I was hoping to get some advice from knowledgeable wireshark/tshark gurus out there.

 

I have a tshark process capturing to file, changing to the next file every 60 seconds from a network card is receiving mirrored traffic from my switch (not used for management by host OS).

I have written a script that takes the pipe from another tshark process which takes a completed 60 second capture file then displays the srcip dstip and Size (packet size I assume in bytes) loops around and adds up packet sizes per ip for both download and upload.

By download and upload I mean I have a known ip subnet so download is unknownip -> knownipsubnet and upload the other way around.

The script works fine the problem I am having is the figures I am getting. 

Each 60 second period the total of the packet sizes per ip are increasing by roughly 50% where I expect them to stay roughly the same with a bit of wiggle in either direction.

Looking at the raw data from tshark packet sizes the max Size is 1514. 

I have manually added up the packet sizes to eliminate errors in my script.

 

The ip range I interested in are all on 10Meg Full Duplex links but I within a couple of minutes they exceed their theoretical max.

 

I am obviously confused about how tshark handles it packets perhaps repeats are being displayed?

Can someone give me definition what Size %L actually is.

Either way I'm stuck please help.

 

This is my first time posting to this list so please forgive any newbie mistakes.

 

Regards

 

Chris

 

 

Details of options, scripts etc used

#####################################

 

Host OS:                      

Linux Ubuntu

 

Network Card used for capture:

Intel Corporation 82540EM Gigabit Ethernet Controller

 

Traffic Source:

Port mirror of a 1GB uplink from a router with traffic level generally around 350Mb/s

 

Contents of .wireshark->pref:

cp.check_checksum: FALSE

tcp.desegment_tcp_streams: FALSE

tcp.analyze_sequence_numbers: FALSE

tcp.desegment_tcp_streams: FALSE

ip.defragment: FALSE

dns.desegment_dns_messages: FALSE

             

Capture tshark process run with following options (I fork this off in perl):

where $capture_duration is 60.

tshark -i $capture_interface -b duration:$capture_duration -s 64 -f 'not broadcast and not multicast and not icmp' -n -w $path_capture_files$path_capture_prefix`;

 

 

The tshark I use to display the capture file and pipe into my script:

open (TSHARK_PIPE,"/usr/bin/tshark -n -r $file_capture -o column.format:\"\"Source\",\"\%s\",\"Destination\",\"\%d\",\"Size\",\"\%L\"\" not ipv6 |");

 

I did try using the line below but it ran 60% slower than the above line

Obviously speed is factor as my script must finish processing a capture file in less time than the capture duration time.

open (TSHARK_PIPE,"/usr/bin/tshark -n -r $file_capture -T text -T fields -E separator=# -e ip.src -e ip.dst -e frame.pkt_len |");

 

Small bit of my script to get clear idea of what I'm doing (IP address ranges have been changed to protect the innocent^^:

 

while (<TSHARK_PIPE>) {

                                chomp;

                                my ($ipsrc,$spacer,$ipdst,$size) = split ' ';                              

                                if (defined $size) {

                                        # Does packet belong to DOWNLOAD ie. ipdst = 111.111.0.0/16

                                        if ($ipdst =~ /^111\.111\.\d+\.\d+$/) {

                                                if (exists $ip_data_download_totals{$ipdst}) {

                                                        # Add the size of the packet on

                                                        $ip_data_download_totals{$ipdst} += $size;

                                                } else {

                                                        $ip_data_download_totals{$ipdst} = $size;

                                                }

 

I then take those totals for a 60 second period and add them onto another total for my longer period 10mins or so.

I need to do it this way as larger total requires Bigints for sizes in bytes of that period and bigints are Slooow to process.

 

Example of 60second totals for unknownip->single known ip in bytes:

112263545

164527439

229262902

278524189

332487210