Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Getting duration when using tshark -z conv

Date: Sat, 13 Sep 2008 22:28:16 +0200
On Sat, 13 Sep 2008 09:19:05 +0100 James Talbut wrote:
>Unfortunately not, thanks.
>
>When I get conversation breakdowns from wireshark it gives me these
>columns:
>Address A	Port A	Address B	Port B	Packets	Bytes	Packets
>A->B	Bytes A->B	Packets A<-B	Bytes A<-B	Rel Start
>Duration	bps A->B	bps A<-B
>(saved as CSV from the conversations window)
>
>But when I get conversations from tshark it only has these:
>                                               |       <-      | |
>->      | |     Total     |
>                                               | Frames  Bytes | |
>Frames  Bytes | | Frames  Bytes |
> 
>I really want the Duration data so that I can roughly tell the consumed
>bandwidth of a given conversation.
>
>With wireshark generating the conversation breakdown takes about 5 times
>as long as with tshark, and with tshark taking over an hour that's a
>significant difference :)
>I can't even load the files on 32 bit Windows because it runs out of
>address space, but tshark uses much less memory too.
>
>What I'd like is for -z conv to give me exactly the same columns as
>wireshark.

Not AFAIK.

May be io,stat can help a bit.
Make sure you use the "." as a decimal symbol (regional settings).
You can play around with the interval (3600 seconds and higher) for your
6 hour cap-file ;-)

$ tshark -z io,stat,50,ip.addr==81.33.231.11,ip.addr==193.81.55.180 -q -r
test.pcap
===================================================================
IO Statistics
Interval: 50.000 secs
Column #0: ip.addr==81.33.231.11
Column #1: ip.addr==193.81.55.180
                |   Column #0    |   Column #1
Time            |frames|  bytes  |frames|  bytes
000.000-050.000       0         0      0         0
050.000-100.000       0         0      0         0
100.000-150.000       0         0      0         0
150.000-200.000       0         0      0         0
200.000-250.000       0         0      0         0
250.000-300.000       0         0    386    330909
300.000-350.000       0         0      6       336
350.000-400.000    4583   4687982    831    719871
400.000-450.000    8524   8656229      3       168
===================================================================

Grtz
Joan