Wireshark · Wireshark-users: Re: [Wireshark-users] tshark load query

["j.snelders" <j.snelders@xxxxxxxxxx>]

Hi Ronnie,

The LOAD stats work, but with a warning.
I also get this warning, while running on WinXP 32-bit. 

Thanks!
Joke

$ tshark -r test.pcap -qz "io,stat,360,LOAD(smb.time)smb.time"

** (tshark.exe:2872): WARNING **: openSAFETY - SercosIII heuristic dissector
can
not be registered, openSAFETY/SercosIII native dissection.

============================================================================
IO Statistics
Interval: 360.000000 secs
Column #0: LOAD(smb.time)smb.time
                        |    Column #0   |
Time                    |       LOAD     |
0000.000000-0360.000000         0.462096
0360.000000-0720.000000         0.100718
0720.000000-1080.000000         0.096485
1080.000000-1440.000000         0.035952
1440.000000-1800.000000         0.080976
1800.000000-2160.000000         0.008415
============================================================================

$ tshark -r test.pcap -qz "io,stat,720,LOAD(smb.time)smb.time"

** (tshark.exe:2536): WARNING **: openSAFETY - SercosIII heuristic dissector
can
not be registered, openSAFETY/SercosIII native dissection.

============================================================================
IO Statistics
Interval: 720.000000 secs
Column #0: LOAD(smb.time)smb.time
                        |    Column #0   |
Time                    |       LOAD     |
0000.000000-0720.000000         0.281407
0720.000000-1440.000000         0.066218
1440.000000-2160.000000         0.044695
============================================================================

$ tshark -v

** (tshark.exe:2616): WARNING **: openSAFETY - SercosIII heuristic dissector
can
not be registered, openSAFETY/SercosIII native dissection.
TShark 1.7.0-SVN-37568 (SVN Rev 37568 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.26.1, with WinPcap (version unknown), with
libz
1.2.5, without POSIX capabilities, without libpcre, without SMI, with c-ares
1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6,
without Kerberos, with GeoIP.

Running on Windows Server 2003 x64 Edition Service Pack 1, build 3790, with
WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version
1.0 branch 1_0_rel0b (20091008).

Built using Microsoft Visual C++ 9.0 build 21022


On Mon, 6 Jun 2011 20:37:39 +1000 ronnie sahlberg wrote:
>I have checked in to trunk an enhancement to add LOAD() stats to tshark
too.
>
>LOAD() is shown as units of commands.
>1.000 represents one I/O  which is different from the GUI graph where
>one I/O is represented as 1000
>
>
>
>Looks like this:
>
>./tshark -n -r ../captures/smbwrite.cap -z
>"io,stat,0.001,LOAD(smb.time)smb.time" -q
>
>...
>
>============================================================================
>IO Statistics
>Interval:   0.001000 secs
>Column #0: LOAD(smb.time)smb.time
>                        |    Column #0   |
>Time                    |       LOAD     |
>0000.000000-0000.001000         1.000000
>0000.001000-0000.002000         0.741000
>0000.002000-0000.003000         0.000000
>
>...
>
>
>have fun
>ronnie sahlberg
>
>On Mon, Jun 6, 2011 at 4:15 PM, ronnie sahlberg
><ronniesahlberg@xxxxxxxxx> wrote:
>> Hmm. ? tap-iostat.c for tshark does not support this.
>>
>> I must have had a private branch I forgot to commit.
>>
>>
>> Ill have a look and see if i can locate it, or else I might just
>> reimplement it again.
>>
>> regards
>> ronnie sahlberg
>>
>>
>> On Mon, Jun 6, 2011 at 3:46 AM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>>> Are you referring to the presentation at the Storage Developer Conference
>>> 2008:
>>> slide 69 - ?LOAD graphs?
>>>
>>> Hopefully Ronnie Sahlberg reads your question...
>>> I too like to know the answer.
>>>
>>> Best regards
>>> Joke
>>>
>>> On Sun, 5 Jun 2011 17:05:27 +0300 Tal Bar-Or wrote:
>>>>To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>>>>Subject: Re: [Wireshark-users] tshark load query
>>>
>>>>Hello j.snelders
>>>>
>>>>Thanks you for the response , i did looked into the man-pages and saw
>its
>>>>not specified but recently i read RonnieSahlberg Using Wireshark For
>>>>Analyzing CIFS
>>>>Traffic PDF.
>>>>
>>>>And in the PDF he gives examples of tshark query and specifying that
this
>>>>kind of query is possible with tshark "*QUEUE DEPTH analysis can also
>be
>>>>done by tshark*." so this is why i am looking for it
>>>>need it for a script that i am writing.
>>>>
>>>>Thanks
>>>>
>>>>
>>>>On Sun, Jun 5, 2011 at 4:34 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>>>>
>>>>> Hi Tal Bar-Or,
>>>>>
>>>>> According to the man-pages this option is only available in Wireshark
>>> and
>>>>> not in TShark.
>>>>>
>>>>> http://www.wireshark.org/docs/man-pages/wireshark.html
>>>>> "advanced..." If Unit:advanced... is selected the window will display
>>> two
>>>>> more controls for each of the five graphs. One control will be a menu
>>> where
>>>>> the type of calculation can be selected from SUM,COUNT,MAX,MIN,AVG
and
>>>>> LOAD,
>>>>> and one control, textbox, where the name of a single display filter
>field
>>>>> can be specified.
>>>>>
>>>>> http://www.wireshark.org/docs/man-pages/tshark.html
>>>>> io,stat can also do much more statistics and calculate COUNT(), SUM(),
>>>>> MIN(),
>>>>> MAX(), and AVG() using a slightly different filter syntax:
>>>>>
>>>>> ?[COUNT|SUM|MIN|MAX|AVG](<field>)<filter>
>>>>>
>>>>> My best
>>>>> Joke
>>>>>
>>>>>
>>>>>
>>>>> >Date: Sun, 5 Jun 2011 14:33:54 +0300 Tal Bar-Or wrote:
>>>>> >Hello all,
>>>>> >
>>>>> >I am trying to produce same query as sown in image with tshark.
>>>>> >Please advice
>>>>> >
>>>>> >Thanks
>>>>> >
>>>>> >--
>>>>> >Tal Bar-or