Wireshark · Wireshark-users: Re: [Wireshark-users] tshark iostat calculation

Wireshark-users: Re: [Wireshark-users] tshark iostat calculation

From: "j.snelders" <j.snelders@xxxxxxxxxx>

Date: Sun, 6 Nov 2011 19:31:59 +0100

Hi Stuart,

To check whether tshark is using TCP timestamps run:
$ tshark -G currentprefs | grep tcp.calculate_timestamps
#tcp.calculate_timestamps: FALSE

To enable TCP timestamps use:
tshark -r FS01.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==445)"
-qz io,stat,600,"MIN(tcp.time_delta)tcp.time_delta" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"
-z io,stat,600,"MAX(tcp.time_delta)tcp.time_delta" -z io,stat,600,"AVG(tcp.time_delta)tcp.time_delta"
-z io,stat,600,"COUNT(tcp.time_delta)tcp.time_delta"

Output:
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: COUNT(tcp.time_delta)tcp.time_delta
                |   Column #0
Time            |          COUNT
000.000-600.000            343084
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: AVG(tcp.time_delta)tcp.time_delta
                |   Column #0
Time            |            AVG
000.000-600.000             0.028
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MAX(tcp.time_delta)tcp.time_delta
                |   Column #0
Time            |            MAX
000.000-600.000            91.617
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: SUM(tcp.time_delta)tcp.time_delta
                |   Column #0
Time            |            SUM
000.000-600.000                 0
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MIN(tcp.time_delta)tcp.time_delta
                |   Column #0
Time            |            MIN
000.000-600.000             0.000
===================================================================


Note
SUM(<field>) can only be used on named fields of integer type. This will
sum together every occurrence of this field's value for each interval.
http://www.wireshark.org/docs/man-pages/tshark.html
http://www.wireshark.org/docs/dfref/t/tcp.html

Best regards
Joke


On Sun, 06 Nov 2011 05:23:14 -0800 Stuart Kendrick wrote:
>I would like to sum the delta time between frames which match a filter
>
>In this example, CIFS traffic from a client to a server.
>
>I can do this in the GUI:
>Statistics, IO Graphs, Filter tcp.dstport==445, SUM tcp.time_delta,
>Style FBar, Tick interval 10 min, Unit Advanced
>
>
>But I'm wanting to use tshark instead.
>
>guru> tshark -nlr sample-cifs.pcap -R "(tcp.dstport==445)" -qz io,stat,600,"SUM
>(tcp.time_delta)tcp.time_delta"
>
>===================================================================
>IO Statistics
>Interval: 600.000 secs
>Column #0: SUM(tcp.time_delta)tcp.time_delta
>                |   Column #0    
>Time            |            SUM 
>000.000-600.000                 0 
>===================================================================
>
>Clearly, I'm fumbling something.  Suggestions?
>
>--sk
>
>Stuart Kendrick
>FHCRC

Follow-Ups:
- Re: [Wireshark-users] tshark iostat calculation
  - From: Stuart Kendrick

References:
- [Wireshark-users] tshark iostat calculation
  - From: Stuart Kendrick

Prev by Date: Re: [Wireshark-users] Common Traffic
Next by Date: Re: [Wireshark-users] Common Traffic
Previous by thread: [Wireshark-users] tshark iostat calculation
Next by thread: Re: [Wireshark-users] tshark iostat calculation
Index(es):
- Date
- Thread