Wireshark-users: Re: [Wireshark-users] summing tcp.time_delta

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Sun, 03 Jun 2012 07:00:45 -0700
Hi Sake,

OK, so I had missed the following instruction from the man page:
"NOTE: One important thing to note here is that the field that the calculation is based on MUST also be part of the filter string or else the calculation will fail."
and you have helped me to correct that.  Thank you!

A question:  Why include "-R tcp.stream==1"   ?   I'm thinking that, for statistics calculation, I don't need a 'Read filter' ... since I'm suppressing output with '-z' anyway.

[I'm getting the same output when I skip the '-R {filter' phrase.]

tshark -r http.cap -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43")

--sk



On 6/2/2012 2:24 AM, Sake Blok wrote:
Stuart,

The read/display filter does not have an effect on the resulting data in the stats. You need to specify the filter in the stats definition. Here is an example:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==1 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

If I filter on something else, the sum still works, which shows that the read/display filter is not used in creating the io,stat statistics:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==2 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

Hope this helps,
Cheers,


Sake



On 2 jun 2012, at 00:49, Stuart Kendrick wrote:

I have a trace of a client loading a large file via HTTP from a remote Web server, captured at the client.  Takes ~7.5s.

I was imagining that I could calculate how much time the client contributed to the transaction and compare this to how much time the server + network contributed.  But I'm fumbling the calculation somehow ... I get the same result (~7.5s) regardless of whether I'm filtering on client-sourced frames or server-sourced frames.  I would have expected the 7.5s to be divided between the two (~.5s for tcp.dstport==80 and ~7s for tcp.srcport==80).  Tips?

C:\Temp> tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================

C:\Temp>tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.srcport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================


--sk


Stuart Kendrick
FHCRC


            
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe