Wireshark-users: Re: [Wireshark-users] regarding tshark option -z io, stat, COUNT(tcp.analysis.du

From: Rikard Svenningsen <wireshark@xxxxxxxxxxxxxx>
Date: Sun, 29 Nov 2009 11:38:50 +0100
Bye the way.
Would it be possible to let this bug be know as a workaround on the man page, and the syntax -z io,stat,120,"COUNT(smb.time)smb.time" should get more focus because it's not obvious to all that's the way you have to do it on Linux/Unix.

I have being trying to figure out why it's not worked for me in almost a year now.....

So if it was more know to the public more people would benefit from the workaround and the syntax information.

Best Regards
Rikard Svenningsen

 
2009/11/29 j.snelders <j.snelders@xxxxxxxxxx>
Hi Rikard,

Do you use the , as decimal symbol?
You have to use the . as decimal symbol.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2880

Please check
Settings -> Control Pannel -> Regional And Language Options

Regards
Joan


On Sun, 29 Nov 2009 00:05:28 +0100 Rikard wrote:
>
>Now I have tried this:
>tshark -r test_b_hour09.cap -q -z
>io,stat,120,"COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack","COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission"
>
>It gives this:
>===================================================================
>IO Statistics
>Interval: 120.000 secs
>Column #0:
>                |   Column #0
>Time            |frames|  bytes
>000.000-120.000    2659    732369
>120.000-240.000    8025   2373944
>This is my version of tshark:
>TShark 1.2.2
>
>Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
>This is free software; see the source for copying conditions. There is NO
>warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
>Compiled with GLib 2.22.2, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX
>capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with c-ares 1.6.0,
>with
>Lua 5.1, with GnuTLS 2.8.3, with Gcrypt 1.4.4, with MIT Kerberos, with
>GeoIP.
>
>Running on Linux 2.6.31-15-generic, with libpcap version 1.0.0, GnuTLS
>2.8.3,
>Gcrypt 1.4.4.
>
>Built using gcc 4.4.1.
>
>It is running on Ubuntu 9.10 64 bits. version
>
>
>2009/11/28 j.snelders <j.snelders@xxxxxxxxxx>
>
>> Hi Rikard,
>>
>> Try this one:
>> $ tshark -r test.pcap -q -z
>> io,stat,120,"COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack","COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission"
>>
>> ===================================================================
>> IO Statistics
>> Interval: 120.000 secs
>> Column #0: COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack
>> Column #1: COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission
>>                |   Column #0    |   Column #1
>> Time            |          COUNT |          COUNT
>> 000.000-120.000                12                4
>> ===================================================================
>>
>> Best regards
>> Joan
>>
>> On Sat, 28 Nov 2009 14:23:20 +0100 Rikard Svenningsen wrote:
>> >Hi
>> >I am trying to use tshark for analysis of some tcp error on my network.
>> >I intent to use the following command:
>> >tshark -r FileToAnalyse -q -z
>>
>> >io,stat,120,COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission
>> >
>> >The command: tshark ....... tcp.analysis.retransmission is supposed to
>be
>> >on
>> >one line to get it work.
>> >I tried:
>> >-z
>>
>> >"io,stat,120,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission"
>> >and
>> >-z
>>
>> >'io,stat,120,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission'
>> >and
>> >-z
>>
>> >io,stat,120,COUNT\(tcp.analysis.retransmission\)tcp.analysis.retransmission
>> >
>> >If I use it just like this:
>> >-z
>> io,stat,120,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission
>> >
>> >I get this:
>> >bash: syntax error near unexpected token `('
>> >
>> >Only if I run the command in a DOS prompt in Windows, it will work fine.
>> >-z
>> io,stat,120,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission
>> >
>> >
>> >--
>> >Best regards
>> >Rikard Svenningsen
>> >Denmark





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe




--
Med venlig hilsen
Rikard Svenningsen
Smalager 36
DK-7120