ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 8066] New: tshark -z io, stat reports bad byte counts if f

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 05 Dec 2012 22:01:11 +0000
Bug ID 8066
Summary tshark -z io,stat reports bad byte counts if filter doesn't match anything
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86
OS Mac OS X 10.8
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Created attachment 9633 [details]
output of steps described

Build Information:
TShark 1.8.4 (SVN Rev 46250 from /trunk-1.8)

Copyright 1998-2012 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3, without
POSIX
capabilities, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with
GeoIP.

Running on Mac OS 10.8.2 (Darwin 12.2.0), with locale en_US.UTF-8, with libpcap
version 1.1.1, with libz 1.2.5.

Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).

--
With tshark, using the -z io,stat tool can report the wrong number of bytes
that don't match a given display filter or during the indicated interval. 

1. I've uploaded the following file as an example:
http://cloudshark.org/captures/8594b08d8ee0 - I call it 'webpagetest.pcap'
Download it to your system.

2. Run tshark on that file as follows:

  tshark -r webpagetest.pcap -q -z io,stat,2,udp

See attachment for my output.

3. notice the IO Statistics table that is produced is correct until the last
spot in the 'udp bytes' column where there seems to be some kind of large
number instead.  

4. Graph both tcp and udp at the same time:

   tshark -r webpagetest.pcap -q -z io,stat,2,tcp,udp

TCP looks ok, but that bad UDP number is still in there where there should be a
zero.

5. Try a protocol that doesn't appear in the file, like BOOTP

   tshark -r webpagetest.pcap -q -z io,stat,2,udp,tcp,bootp

The extra large value is still reported in the UDP column, and even though
there is no BOOTP traffic in the whole file, we get a bogus number of bytes
appearing.

In my own builds of 1.8.4 I've seen the number '2' appear instead of the
4410097968 number, and always the number '952224' in the last row of the bytes
column for certain protocols.

I have seen this in builds of 1.8.2 and 1.8.4. I can provide output from 1.8.2
if that's helpful.

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube