No, it does two separate things. It gives you stats for all packets, and then displays all packets that match the filter "ftp".
If you want the stats themselves to match a filter, you'd do something like:
tshark -r <file> -z io,stat,1,ftp <--- note the comma - this "ftp" applies a filter to the stats generation. Without a comma you're telling tshark what filter it applies to packets it should *display*.
Careful on using "ftp" filter here, too. The "ftp" filter is going to match any packet that is decoded as FTP protocol - just the management packets. The actual file transfer, on the data channel, will either be decoded as "ftp-data" or (I believe in some cases) just simply as "tcp". Using a filter like "tcp.port==20 or tcp.port==21" might give you the stats you're looking for more reliably.
I forgot to mention that if you don't want tshark to actually display any packets (just the stats table), you'll want to feed it a "display filter" that matches no packets. So you could do something like:
tshark -r <file> -R "not frame" -z io,stat,1,"tcp.port==20 or tcp.port==21" (every packet matches the filter "frame" so a display filter of "not frame" basically says "display any packets")
On Thu, Jul 9, 2009 at 9:20 PM, Lutti Hautameki
<bowkatz@xxxxxxxxx> wrote:
Hello Ian,
I've got a question to you:
when i issue this command : tshark -r C:\test2.pcap -z io,stat,1 ftp
it just shows the io graph of ftp packets or ?