Wireshark mailing list archives
Re: tshark iostat calculation
From: "j.snelders" <j.snelders () telfort nl>
Date: Sun, 6 Nov 2011 19:31:59 +0100
Hi Stuart,
To check whether tshark is using TCP timestamps run:
$ tshark -G currentprefs | grep tcp.calculate_timestamps
#tcp.calculate_timestamps: FALSE
To enable TCP timestamps use:
tshark -r FS01.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==445)"
-qz io,stat,600,"MIN(tcp.time_delta)tcp.time_delta" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"
-z io,stat,600,"MAX(tcp.time_delta)tcp.time_delta" -z io,stat,600,"AVG(tcp.time_delta)tcp.time_delta"
-z io,stat,600,"COUNT(tcp.time_delta)tcp.time_delta"
Output:
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: COUNT(tcp.time_delta)tcp.time_delta
| Column #0
Time | COUNT
000.000-600.000 343084
===================================================================
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: AVG(tcp.time_delta)tcp.time_delta
| Column #0
Time | AVG
000.000-600.000 0.028
===================================================================
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MAX(tcp.time_delta)tcp.time_delta
| Column #0
Time | MAX
000.000-600.000 91.617
===================================================================
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: SUM(tcp.time_delta)tcp.time_delta
| Column #0
Time | SUM
000.000-600.000 0
===================================================================
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: MIN(tcp.time_delta)tcp.time_delta
| Column #0
Time | MIN
000.000-600.000 0.000
===================================================================
Note
SUM(<field>) can only be used on named fields of integer type. This will
sum together every occurrence of this field's value for each interval.
http://www.wireshark.org/docs/man-pages/tshark.html
http://www.wireshark.org/docs/dfref/t/tcp.html
Best regards
Joke
On Sun, 06 Nov 2011 05:23:14 -0800 Stuart Kendrick wrote:
I would like to sum the delta time between frames which match a filter
In this example, CIFS traffic from a client to a server.
I can do this in the GUI:
Statistics, IO Graphs, Filter tcp.dstport==445, SUM tcp.time_delta,
Style FBar, Tick interval 10 min, Unit Advanced
But I'm wanting to use tshark instead.
guru> tshark -nlr sample-cifs.pcap -R "(tcp.dstport==445)" -qz io,stat,600,"SUM
(tcp.time_delta)tcp.time_delta"
===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: SUM(tcp.time_delta)tcp.time_delta
| Column #0
Time | SUM
000.000-600.000 0
===================================================================
Clearly, I'm fumbling something. Suggestions?
--sk
Stuart Kendrick
FHCRC
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark iostat calculation Stuart Kendrick (Nov 06)
- Re: tshark iostat calculation j.snelders (Nov 06)
- Re: tshark iostat calculation Stuart Kendrick (Nov 06)
- Re: tshark iostat calculation Chris Maynard (Nov 07)
- Re: tshark iostat calculation Stuart Kendrick (Nov 06)
- Re: tshark iostat calculation j.snelders (Nov 06)