Wireshark-users: Re: [Wireshark-users] Using Tshark to Total Packet Sizes -> help needed

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Tue, 16 Jun 2009 21:45:17 +1000
Just checking, but your code is producing a running total every 60
seconds (rather than a total for each 60 secs) so it will always get
bigger - is this what you intended?

Also you expressed concern about using Big Ints. Why not use floats -
do you really need the precision?

Finally (and I'm not knocking using Perl) it just that it might be
more efficient to use the builtin "-z conv,type[,filter]" statistics
capability builtin to tshark.

Regards, Martin

MartinVisser99@xxxxxxxxx



On Tue, Jun 16, 2009 at 8:57 PM, Phillips, Christopher
M<cmphil@xxxxxxxxxxx> wrote:
> Hello,
>
>
>
> I was hoping to get some advice from knowledgeable wireshark/tshark gurus
> out there.
>
>
>
> I have a tshark process capturing to file, changing to the next file every
> 60 seconds from a network card is receiving mirrored traffic from my switch
> (not used for management by host OS).
>
> I have written a script that takes the pipe from another tshark process
> which takes a completed 60 second capture file then displays the srcip dstip
> and Size (packet size I assume in bytes) loops around and adds up packet
> sizes per ip for both download and upload.
>
> By download and upload I mean I have a known ip subnet so download is
> unknownip -> knownipsubnet and upload the other way around.
>
> The script works fine the problem I am having is the figures I am getting.
>
> Each 60 second period the total of the packet sizes per ip are increasing by
> roughly 50% where I expect them to stay roughly the same with a bit of
> wiggle in either direction.
>
> Looking at the raw data from tshark packet sizes the max Size is 1514.
>
> I have manually added up the packet sizes to eliminate errors in my script.
>
>
>
> The ip range I interested in are all on 10Meg Full Duplex links but I within
> a couple of minutes they exceed their theoretical max.
>
>
>
> I am obviously confused about how tshark handles it packets perhaps repeats
> are being displayed?
>
> Can someone give me definition what Size %L actually is.
>
> Either way I'm stuck please help.
>
>
>
> This is my first time posting to this list so please forgive any newbie
> mistakes.
>
>
>
> Regards
>
>
>
> Chris
>
>
>
>
>
> Details of options, scripts etc used
>
> #####################################
>
>
>
> Host OS:
>
> Linux Ubuntu
>
>
>
> Network Card used for capture:
>
> Intel Corporation 82540EM Gigabit Ethernet Controller
>
>
>
> Traffic Source:
>
> Port mirror of a 1GB uplink from a router with traffic level generally
> around 350Mb/s
>
>
>
> Contents of .wireshark->pref:
>
> cp.check_checksum: FALSE
>
> tcp.desegment_tcp_streams: FALSE
>
> tcp.analyze_sequence_numbers: FALSE
>
> tcp.desegment_tcp_streams: FALSE
>
> ip.defragment: FALSE
>
> dns.desegment_dns_messages: FALSE
>
>
>
> Capture tshark process run with following options (I fork this off in perl):
>
> where $capture_duration is 60.
>
> tshark -i $capture_interface -b duration:$capture_duration -s 64 -f 'not
> broadcast and not multicast and not icmp' -n -w
> $path_capture_files$path_capture_prefix`;
>
>
>
>
>
> The tshark I use to display the capture file and pipe into my script:
>
> open (TSHARK_PIPE,"/usr/bin/tshark -n -r $file_capture -o
> column.format:\"\"Source\",\"\%s\",\"Destination\",\"\%d\",\"Size\",\"\%L\"\"
> not ipv6 |");
>
>
>
> I did try using the line below but it ran 60% slower than the above line
>
> Obviously speed is factor as my script must finish processing a capture file
> in less time than the capture duration time.
>
> open (TSHARK_PIPE,"/usr/bin/tshark -n -r $file_capture -T text -T fields -E
> separator=# -e ip.src -e ip.dst -e frame.pkt_len |");
>
>
>
> Small bit of my script to get clear idea of what I'm doing (IP address
> ranges have been changed to protect the innocent^^:
>
>
>
> while (<TSHARK_PIPE>) {
>
>                                 chomp;
>
>                                 my ($ipsrc,$spacer,$ipdst,$size) = split '
> ';
>
>                                 if (defined $size) {
>
>                                         # Does packet belong to DOWNLOAD ie.
> ipdst = 111.111.0.0/16
>
>                                         if ($ipdst =~
> /^111\.111\.\d+\.\d+$/) {
>
>                                                 if (exists
> $ip_data_download_totals{$ipdst}) {
>
>                                                         # Add the size of
> the packet on
>
>
> $ip_data_download_totals{$ipdst} += $size;
>
>                                                 } else {
>
>
>                                             $ip_data_download_totals{$ipdst}
> = $size;
>
>                                                 }
>
>
>
> I then take those totals for a 60 second period and add them onto another
> total for my longer period 10mins or so.
>
> I need to do it this way as larger total requires Bigints for sizes in bytes
> of that period and bigints are Slooow to process.
>
>
>
> Example of 60second totals for unknownip->single known ip in bytes:
>
> 112263545
>
> 164527439
>
> 229262902
>
> 278524189
>
> 332487210
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>