Wireshark-users: Re: [Wireshark-users] tshark iostat calculation

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Sun, 06 Nov 2011 13:47:07 -0800
Hi Joke,

OK, so I'm learning here, about preferences, for example -- thank you.

Seems to me that both of us are seeing a value of 0 for SUM because ...
per the snippet of man page you include ... SUM only adds fields of type
integer ... and tcp.time_delta is of type float ... am I correct here?

i.e. I can use the GUI to SUM tcp.time_delta, but I cannot use tshark do
this.  Yes?

guru> tshark -nlr smbv2-copy.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==445)" 
-qz io,stat,600,"MIN(tcp.time_delta)tcp.time_delta" 
-qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta" 
-qz io,stat,600,"MAX(tcp.time_delta)tcp.time_delta" 
-qz io,stat,600,"AVG(tcp.time_delta)tcp.time_delta" 
-qz io,stat,600,"COUNT(tcp.time_delta)tcp.time_delta"

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: COUNT(tcp.time_delta)tcp.time_delta
                |   Column #0    
Time            |          COUNT 
000.000-600.000              5784 
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: AVG(tcp.time_delta)tcp.time_delta
                |   Column #0    
Time            |            AVG 
000.000-600.000             0.005 
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MAX(tcp.time_delta)tcp.time_delta
                |   Column #0    
Time            |            MAX 
000.000-600.000            15.740 
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: SUM(tcp.time_delta)tcp.time_delta
                |   Column #0    
Time            |            SUM 
000.000-600.000                 0 
===================================================================

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MIN(tcp.time_delta)tcp.time_delta
                |   Column #0    
Time            |            MIN 
000.000-600.000             0.000 
===================================================================
guru> 




On 11/6/2011 10:31 AM, j.snelders wrote:
> Hi Stuart,
>
> To check whether tshark is using TCP timestamps run:
> $ tshark -G currentprefs | grep tcp.calculate_timestamps
> #tcp.calculate_timestamps: FALSE
>
> To enable TCP timestamps use:
> tshark -r FS01.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==445)"
> -qz io,stat,600,"MIN(tcp.time_delta)tcp.time_delta" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"
> -z io,stat,600,"MAX(tcp.time_delta)tcp.time_delta" -z io,stat,600,"AVG(tcp.time_delta)tcp.time_delta"
> -z io,stat,600,"COUNT(tcp.time_delta)tcp.time_delta"
>
> [...]