Wireshark-users: Re: [Wireshark-users] how to analyze udp streams of skype chat

From: "Vineeth Rakesh " <grittygeek@xxxxxxxxx>
Date: Mon, 31 Jan 2011 11:54:17 -0500
Title: Wireshark-users Digest, Vol 56, Issue 26

Hello,

 

I do not know how the measure the delay. I am much interested in the time stamps of the packet when it is sent and received. I am not going to do a VOIP test for QOS or other parameters.

I am basically looking forward to study the traffic patterns.  Probably I need to take the difference of departing and arrival time of packets.  

 

Thank You

Vineeth

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx
Sent: Sunday, January 30, 2011 3:00 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 56, Issue 26

 

Send Wireshark-users mailing list submissions to
        wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
        wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
        wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: tcp.time_delta column with tshark (j.snelders)
   2. tshark: Read filters were specified both with "-R" and with
      additional command-line arguments (Neil Fraser)
   3. Re: tshark: Read filters were specified both with "-R" and
      with additional command-line arguments (Alan Tu)
   4. Re: tshark: Read filters were specified both with "-R" and
      with additional command-line arguments (Neil Fraser)
   5. Re: tshark: Read filters were specified both with "-R" and
      with additional command-line arguments (Alan Tu)
   6. Re: tshark: Read filters were specified both with "-R" and
      with additional command-line arguments (Neil Fraser)
   7. Re: how to analyze udp streams of skype chat (Martin Visser)
   8. Re: tcp.time_delta column with tshark (vincent paul)
   9. Re: tshark: Read filters were specified both with "-R" and
      with additional command-line arguments (Sake Blok)
  10. Re: tcp.time_delta column with tshark (Martin Visser)
  11. WIRESHARK EVENT IN A TECHFEST (NISHANT BULCHANDANI)
  12. about the VOIP bandwidth (nangergong)
  13. Re: how to analyze udp streams of skype chat (nangergong)


----------------------------------------------------------------------

Message: 1
Date: Sun, 30 Jan 2011 01:12:02 +0100
From: "j.snelders" <j.snelders@xxxxxxxxxx>
To: "Community support list for Wireshark"
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcp.time_delta column with tshark
Message-ID: <4CA9C7750006593A@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

On Sat, 29 Jan 2011 17:24:21 +0100 Sake Blok wrote:
>On 29 jan 2011, at 16:52, j.snelders wrote:
>
>> On Sat, 29 Jan 2011 00:26:40 -0800 (PST) vincent paul wrote:
>>>
>>> 1) I try to use tshark to export a capture into csv file.  I use -T fields
>>> -E
>>> separator=, -e tcp.time_delta.......  I could see other column data but
>> not
>>>
>>> tcp.time_delta .  Any idea.
>>
>> No, but it does print the frame.time_delta
>> $ tshark -r test.pcap -T fields -E separator=, -e frame.number -e frame.time_delta
>
>In order to be able to use tcp.time_relative and tcp.time_delta, you will
>need to enable TCP timestamps. This is disabled by default (for performance
>optimization).
>
>You can check whether tshark is using TCP timestamps:
>
>$ tshark -G currentprefs | grep tcp.calculate_timestamps
>tcp.calculate_timestamps: TRUE
>$
>
>If you want to enable them, use:
>
>tshark -o cp.calculate_timestamps:TRUE -r <file> -T fields -e ... -e tcp.time_delta
>-e ...
>
>Cheers,
>
>
>Sake

Dank je wel;-)
Joke


      




------------------------------

Message: 2
Date: Sun, 30 Jan 2011 13:58:14 +1100
From: Neil Fraser <cbr250@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] tshark: Read filters were specified both
        with "-R" and with additional command-line arguments
Message-ID:
        <AANLkTikV0NC0aVVqh0udr_jcFYMcwz5nUfJ3okdVcn5F@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

I'm having an issue trying to extract certain calls from a dump I have
already made with fairly specific criteria.

It appears it doesn't like my quotation marks I am using in my filter from
wireshark. Im a novice at using tshark so i'll explain what im trying to
achieve

input file : hammer2901b
output file: 0291400000
filter: sip.to.addr == "sip:[email protected]:5060" or sip.to.addr ==
"sip:[email protected]"

command I'm attempting to use in a linux environment:
tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
sip:[email protected]:5060" or sip.to.addr ==
"sip:[email protected]"

output always remains as: tshark: Read filters were specified both with "-R"
and with additional command-line arguments

Any advice greatly appreciated.

Regards,
Neil Fraser.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/5a3a7166/attachment.html>

------------------------------

Message: 3
Date: Sun, 30 Jan 2011 03:04:26 +0000
From: Alan Tu <8libra@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark: Read filters were specified
        both with "-R" and with additional command-line arguments
Message-ID:
        <AANLkTim8cvDA6d5hiD10k7BuQ32gH63GEWJF1yPgpOVV@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Neil, I don't have a Linux environment to play with but try
surrounding the whole display filter in a quote, like:
tshark -r hammer2901b -w 0291400000 -R "sip.to.addr ==
sip:[email protected]:5060 or sip.to.addr ==
sip:[email protected]"

Alan


On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> Hi,
>
> I'm having an issue trying to extract certain calls from a dump I have
> already made with fairly specific criteria.
>
> It appears it doesn't like my quotation marks I am using in my filter from
> wireshark. Im a novice at using tshark so i'll explain what im trying to
> achieve
>
> input file : hammer2901b
> output file: 0291400000
> filter: sip.to.addr == "sip:[email protected]:5060" or sip.to.addr ==
> "sip:[email protected]"
>
> command I'm attempting to use in a linux environment:
> tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
> sip:[email protected]:5060" or sip.to.addr ==
> "sip:[email protected]"
>
> output always remains as: tshark: Read filters were specified both with "-R"
> and with additional command-line arguments
>
> Any advice greatly appreciated.
>
> Regards,
> Neil Fraser.
>


------------------------------

Message: 4
Date: Sun, 30 Jan 2011 14:14:04 +1100
From: Neil Fraser <cbr250@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark: Read filters were specified
        both with "-R" and with additional command-line arguments
Message-ID:
        <AANLkTinyq3NooDDpbqERMqSUvLECGSnxOkXPVmCrDkRg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi Alan,

Thanks for your response, but unfortunately I get:

tshark: "@" was unexpected in this context.

Regards,


On Sun, Jan 30, 2011 at 2:04 PM, Alan Tu <8libra@xxxxxxxxx> wrote:

> Neil, I don't have a Linux environment to play with but try
> surrounding the whole display filter in a quote, like:
>


> tshark -r hammer2901b -w 0291400000 -R "sip.to.addr ==
> sip:[email protected]:5060 or sip.to.addr ==
> sip:[email protected]"
>
> Alan
>
>
> On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> > Hi,
> >
> > I'm having an issue trying to extract certain calls from a dump I have
> > already made with fairly specific criteria.
> >
> > It appears it doesn't like my quotation marks I am using in my filter
> from
> > wireshark. Im a novice at using tshark so i'll explain what im trying to
> > achieve
> >
> > input file : hammer2901b
> > output file: 0291400000
> > filter: sip.to.addr == "sip:[email protected]:5060" or sip.to.addr
> ==
> > "sip:[email protected]"
> >
> > command I'm attempting to use in a linux environment:
> > tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
> > sip:[email protected]:5060" or sip.to.addr ==
> > "sip:[email protected]"
> >
> > output always remains as: tshark: Read filters were specified both with
> "-R"
> > and with additional command-line arguments
> >
> > Any advice greatly appreciated.
> >
> > Regards,
> > Neil Fraser.
> >
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/033b4b04/attachment.html>

------------------------------

Message: 5
Date: Sun, 30 Jan 2011 03:25:11 +0000
From: Alan Tu <8libra@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark: Read filters were specified
        both with "-R" and with additional command-line arguments
Message-ID:
        <AANLkTikTDsa_yPnW97MahMLf11kUsuUck16voJTLoA8L@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Hmm. There are a few things at play. First, your shell environment
interprets the command and arguments. Then Tshark does it too.

I am pretty certain that the display filter needs to be quoted so that
the shell will treat that whole thing as one argument. That's the way
I run my scripts.

You may want to try putting a backslash in front of the @ sign and see
if Tshark likes it better.

Try testing using a simple query (no and clauses), once you have that
working, then build the complex queries.

Alan


On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> Hi Alan,
>
> Thanks for your response, but unfortunately I get:
>
> tshark: "@" was unexpected in this context.
>
> Regards,
>
>
> On Sun, Jan 30, 2011 at 2:04 PM, Alan Tu <8libra@xxxxxxxxx> wrote:
>
>> Neil, I don't have a Linux environment to play with but try
>> surrounding the whole display filter in a quote, like:
>>
>
>
>> tshark -r hammer2901b -w 0291400000 -R "sip.to.addr ==
>> sip:[email protected]:5060 or sip.to.addr ==
>> sip:[email protected]"
>>
>> Alan
>>
>>
>> On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
>> > Hi,
>> >
>> > I'm having an issue trying to extract certain calls from a dump I have
>> > already made with fairly specific criteria.
>> >
>> > It appears it doesn't like my quotation marks I am using in my filter
>> from
>> > wireshark. Im a novice at using tshark so i'll explain what im trying to
>> > achieve
>> >
>> > input file : hammer2901b
>> > output file: 0291400000
>> > filter: sip.to.addr == "sip:[email protected]:5060" or sip.to.addr
>> ==
>> > "sip:[email protected]"
>> >
>> > command I'm attempting to use in a linux environment:
>> > tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
>> > sip:[email protected]:5060" or sip.to.addr ==
>> > "sip:[email protected]"
>> >
>> > output always remains as: tshark: Read filters were specified both with
>> "-R"
>> > and with additional command-line arguments
>> >
>> > Any advice greatly appreciated.
>> >
>> > Regards,
>> > Neil Fraser.
>> >
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>>
>


------------------------------

Message: 6
Date: Sun, 30 Jan 2011 15:06:43 +1100
From: Neil Fraser <cbr250@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark: Read filters were specified
        both with "-R" and with additional command-line arguments
Message-ID:
        <AANLkTimQW=iK7u=dfi1Z-4Wbmj5nAJ_vDorY++ZyK9r3@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Thanks, it looks like i'm having success by using:

tshark -r hammer2901b -w 0291400000 -R "sip.To contains 0291400000 or sip.To
contains 1887500412000000"

By using contains rather than == I was able to simplify the query (and get
rid of that annoying @) but still get get the same results.

We have a saying here in Australia: K.I.S.S. "keep it simple stupid", it
appears I was trying to be too complex.

Thanks again for your advice.

Best regards,
Neil Fraser



On Sun, Jan 30, 2011 at 2:25 PM, Alan Tu <8libra@xxxxxxxxx> wrote:

> Hmm. There are a few things at play. First, your shell environment
> interprets the command and arguments. Then Tshark does it too.
>
> I am pretty certain that the display filter needs to be quoted so that
> the shell will treat that whole thing as one argument. That's the way
> I run my scripts.
>
> You may want to try putting a backslash in front of the @ sign and see
> if Tshark likes it better.
>
> Try testing using a simple query (no and clauses), once you have that
> working, then build the complex queries.
>
> Alan
>
>
> On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> > Hi Alan,
> >
> > Thanks for your response, but unfortunately I get:
> >
> > tshark: "@" was unexpected in this context.
> >
> > Regards,
> >
> >
> > On Sun, Jan 30, 2011 at 2:04 PM, Alan Tu <8libra@xxxxxxxxx> wrote:
> >
> >> Neil, I don't have a Linux environment to play with but try
> >> surrounding the whole display filter in a quote, like:
> >>
> >
> >
> >> tshark -r hammer2901b -w 0291400000 -R "sip.to.addr ==
> >> sip:[email protected]:5060 or sip.to.addr ==
> >> sip:[email protected]"
> >>
> >> Alan
> >>
> >>
> >> On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> >> > Hi,
> >> >
> >> > I'm having an issue trying to extract certain calls from a dump I have
> >> > already made with fairly specific criteria.
> >> >
> >> > It appears it doesn't like my quotation marks I am using in my filter
> >> from
> >> > wireshark. Im a novice at using tshark so i'll explain what im trying
> to
> >> > achieve
> >> >
> >> > input file : hammer2901b
> >> > output file: 0291400000
> >> > filter: sip.to.addr == "sip:[email protected]:5060" or
> sip.to.addr
> >> ==
> >> > "sip:[email protected]"
> >> >
> >> > command I'm attempting to use in a linux environment:
> >> > tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
> >> > sip:[email protected]:5060" or sip.to.addr ==
> >> > "sip:[email protected]"
> >> >
> >> > output always remains as: tshark: Read filters were specified both
> with
> >> "-R"
> >> > and with additional command-line arguments
> >> >
> >> > Any advice greatly appreciated.
> >> >
> >> > Regards,
> >> > Neil Fraser.
> >> >
> >>
> ___________________________________________________________________________
> >> Sent via:    Wireshark-users mailing list <
> wireshark-users@xxxxxxxxxxxxx>
> >> Archives:    http://www.wireshark.org/lists/wireshark-users
> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> >> ?subject=unsubscribe
> >>
> >
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/34fa01fb/attachment.html>

------------------------------

Message: 7
Date: Sun, 30 Jan 2011 16:21:53 +1100
From: Martin Visser <martinvisser99@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] how to analyze udp streams of skype
        chat
Message-ID:
        <AANLkTinhXUoNkmLbwhceOU2pGwuFyifaYH1_EvwqnVvi@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Vineeth,

I think you have you work cut out for you. Skype is a proprietary,
unpublished protocol. Skype uses its own encryption scheme to boot.

As such you can't really tell a request from a response, (if there is
any), so I really think you won't get very far.

If this is the beginnings of some sort of research project into voice
quality of service, you probably want to concentrate on looking at
more open protocols.

Regards, Martin

MartinVisser99@xxxxxxxxx



On 29 January 2011 05:39, Vineeth <grittygeek@xxxxxxxxx> wrote:
> Hello all,
>
> I have a capture file of a group chat in skype between three persons. I have
> to measure the latency of the packet from source to destination and for
> which I need their time stamps. I see that all my voice chat follow the udp
> protocol and I am not able to find their time stamps. I just find the
> arrival time of the packet and not the time at which the packet was send
> from the destination. I believe the udp message must be converted to RTP in
> order to do this analysis am I right? If not can some one tell me a better
> way?
>
> I am basically trying to collect a real time data of how users chat when it
> comes to a group conversation.
>
> I am attaching the captured file with this email. Any help is appreciated.
>
> Thank You
>
> Vineeth
>
> ___________________________________________________________________________
> Sent via: ? ?Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: ? ?http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


------------------------------

Message: 8
Date: Sat, 29 Jan 2011 21:26:42 -0800 (PST)
From: vincent paul <amoteluro@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcp.time_delta column with tshark
Message-ID: <814407.71578.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Thank you?Sake and J.Snelders for your quick and precious? help.

Best Regards,
PV

NOTE: Any idea how to see the packets' content between client and its proxy (not
web server)




________________________________
From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Sat, January 29, 2011 8:24:21 AM
Subject: Re: [Wireshark-users] tcp.time_delta column with tshark

On 29 jan 2011, at 16:52, j.snelders wrote:

> On Sat, 29 Jan 2011 00:26:40 -0800 (PST) vincent paul wrote:
>>
>> 1) I try to use tshark to export a capture into csv file.? I use -T fields
>> -E
>> separator=, -e tcp.time_delta.......? I could see other column data but
> not
>>
>> tcp.time_delta .? Any idea.
>
> No, but it does print the frame.time_delta
> $ tshark -r test.pcap -T fields -E separator=, -e frame.number -e
>frame.time_delta

In order to be able to use tcp.time_relative and tcp.time_delta, you will need
to enable TCP timestamps. This is disabled by default (for performance
optimization).

You can check whether tshark is using TCP timestamps:

$ tshark -G currentprefs | grep tcp.calculate_timestamps
tcp.calculate_timestamps: TRUE
$

If you want to enable them, use:

tshark -o cp.calculate_timestamps:TRUE -r <file> -T fields -e ... -e
tcp.time_delta -e ...

Cheers,


Sake

___________________________________________________________________________
Sent via:? ? Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:? ? http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110129/3ee5045a/attachment.html>

------------------------------

Message: 9
Date: Sun, 30 Jan 2011 10:20:57 +0100
From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark: Read filters were specified
        both with       "-R" and with additional command-line arguments
Message-ID: <795C4DC1-00A4-4CE7-9A6A-2669597D436C@xxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On 30 jan 2011, at 03:58, Neil Fraser wrote:

> command I'm attempting to use in a linux environment:
> tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "sip:[email protected]:5060" or sip.to.addr == "sip:[email protected]"
>
> output always remains as: tshark: Read filters were specified both with "-R" and with additional command-line arguments

That is because tshark will interpret this as "-R sip.to.addr" and use the rest of the commandline arguments as a read filter. So either you drop the -R or you have to make sure that the argument after -R is one string. You can do this by placing the whole filter within single quotes:

-R 'sip.to.addr == "sip:[email protected]:5060" or sip.to.addr == "sip:[email protected]" '

Cheers,
Sake

------------------------------

Message: 10
Date: Sun, 30 Jan 2011 19:42:19 +1000
From: Martin Visser <martinvisser99@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcp.time_delta column with tshark
Message-ID:
        <AANLkTi=d2W-+SUM=mfG3UkXyQDY_h48aYCDVTW=9-aiZ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

If you capture traffic on your network  on or in the path between the
client and proxy, you will see see the HTTP proxy traffic. HTTP
traffic direct to the web-server or via a proxy are fundamentally the
same - the proxy just has to handle the edge conditions a little
differently.

Regards, Martin

MartinVisser99@xxxxxxxxx



On 30 January 2011 15:26, vincent paul <amoteluro@xxxxxxxxx> wrote:
> Thank you?Sake and J.Snelders for your quick and precious? help.
>
> Best Regards,
> PV
>
> NOTE: Any idea how to see the packets' content between client and its proxy
> (not web server)
>
> ________________________________
> From: Sake Blok <sake@xxxxxxxxxx>
> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Sent: Sat, January 29, 2011 8:24:21 AM
> Subject: Re: [Wireshark-users] tcp.time_delta column with tshark
>
> On 29 jan 2011, at 16:52, j.snelders wrote:
>
>> On Sat, 29 Jan 2011 00:26:40 -0800 (PST) vincent paul wrote:
>>>
>>> 1) I try to use tshark to export a capture into csv file.? I use -T
>>> fields
>>> -E
>>> separator=, -e tcp.time_delta.......? I could see other column data but
>> not
>>>
>>> tcp.time_delta .? Any idea.
>>
>> No, but it does print the frame.time_delta
>> $ tshark -r test.pcap -T fields -E separator=, -e frame.number -e
>> frame.time_delta
>
> In order to be able to use tcp.time_relative and tcp.time_delta, you will
> need to enable TCP timestamps. This is disabled by default (for performance
> optimization).
>
> You can check whether tshark is using TCP timestamps:
>
> $ tshark -G currentprefs | grep tcp.calculate_timestamps
> tcp.calculate_timestamps: TRUE
> $
>
> If you want to enable them, use:
>
> tshark -o cp.calculate_timestamps:TRUE -r <file> -T fields -e ... -e
> tcp.time_delta -e ...
>
> Cheers,
>
>
> Sake
>
> ___________________________________________________________________________
> Sent via:? ? Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:? ? http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via: ? ?Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: ? ?http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ? ? mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


------------------------------

Message: 11
Date: Sun, 30 Jan 2011 16:55:58 +0530
From: NISHANT BULCHANDANI <nbulchandani@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] WIRESHARK EVENT IN A TECHFEST
Message-ID:
        <AANLkTim_a8qkx5byO-zHNCeVmh5AOuaCtgMGa9LZOuSg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello everyone,
I am a student at SASTRA UNIVERSITY,Thanjavur,TamilNadu,INDIA.We are
organising an event based on Wireshark in our techfest this year.
Any one who is intrested please check out the link:
<http://www.daksh.sastra.edu/events.php#events/comp>
http://www.daksh.sastra.edu/events.php#events/comp
The Event name is CONNECXIONS.
Any suggestions for the event are also welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/dc17233d/attachment.html>

------------------------------

Message: 12
Date: Sun, 30 Jan 2011 19:12:55 +0000
From: nangergong <nangergong@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] about the VOIP bandwidth
Message-ID:
        <AANLkTikoLJkWQN4KPPrEKs-NUVr_j=HWNqZhXWej7EZz@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi, all:

  I'm using wireshark to capture VOIP streams, the Codec used in the VOIP
session is G711, which uses bandwidth of 64kbps.

  When I follow the following steps to analyse the VOIP streams:

  Telephony->RTP->show all streams->Analyze,

  I found that the IP BW (bandwidth) column shows that the bandwidth is
about 81.6 kbps.   I also used a traffic monitoring program to monitor the
traffic, which shows the bandwidth used is about 64kbps (conformant to G711
bit rate ). So, I wonder whether wireshark is accurate in measuring the
bandwidth? or even other metrics such as jitter,etc..

  Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/c7dcbc0f/attachment.html>

------------------------------

Message: 13
Date: Sun, 30 Jan 2011 19:14:28 +0000
From: nangergong <nangergong@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] how to analyze udp streams of skype
        chat
Message-ID:
        <AANLkTinb9+BLk4YKO1c95_skpTAjPFszPfeC6ZXsyjMG@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

I used an open source program to do VOIP tests.
Do you have any idea on how to measure the delays?



On Sun, Jan 30, 2011 at 5:21 AM, Martin Visser <martinvisser99@xxxxxxxxx>wrote:

> Vineeth,
>
> I think you have you work cut out for you. Skype is a proprietary,
> unpublished protocol. Skype uses its own encryption scheme to boot.
>
> As such you can't really tell a request from a response, (if there is
> any), so I really think you won't get very far.
>
> If this is the beginnings of some sort of research project into voice
> quality of service, you probably want to concentrate on looking at
> more open protocols.
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
>
> On 29 January 2011 05:39, Vineeth <grittygeek@xxxxxxxxx> wrote:
> > Hello all,
> >
> > I have a capture file of a group chat in skype between three persons. I
> have
> > to measure the latency of the packet from source to destination and for
> > which I need their time stamps. I see that all my voice chat follow the
> udp
> > protocol and I am not able to find their time stamps. I just find the
> > arrival time of the packet and not the time at which the packet was send
> > from the destination. I believe the udp message must be converted to RTP
> in
> > order to do this analysis am I right? If not can some one tell me a
> better
> > way?
> >
> > I am basically trying to collect a real time data of how users chat when
> it
> > comes to a group conversation.
> >
> > I am attaching the captured file with this email. Any help is
> appreciated.
> >
> > Thank You
> >
> > Vineeth
> >
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
> >
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wireshark.org/lists/wireshark-users/attachments/20110130/1b2c4127/attachment.html>

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 56, Issue 26
***********************************************


No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3412 - Release Date: 01/30/11