Wireshark · Wireshark-users: Re: [Wireshark-users] tshark load query

["j.snelders" <j.snelders@xxxxxxxxxx>]

Hi Ronnie,

The problem still exists in SVN37570.

$ tshark -v

** (tshark.exe:2932): WARNING **: openSAFETY - SercosIII heuristic dissector
can
not be registered, openSAFETY/SercosIII native dissection.
TShark 1.7.0-SVN-37570 (SVN Rev 37570 from /trunk)

Is this related to bug 5990 (SERCOS III built-in dissector (from plugin))?
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5990

Thanks
Joke


On Mon, 6 Jun 2011 17:43:03 +0200 j.snelders wrote:
>Hi Ronnie,
>
>The LOAD stats work, but with a warning.
>I also get this warning, while running on WinXP 32-bit. 
>
>Thanks!
>Joke
>
>$ tshark -r test.pcap -qz "io,stat,360,LOAD(smb.time)smb.time"
>
>** (tshark.exe:2872): WARNING **: openSAFETY - SercosIII heuristic dissector
>can
>not be registered, openSAFETY/SercosIII native dissection.
>
>============================================================================
>IO Statistics
>Interval: 360.000000 secs
>Column #0: LOAD(smb.time)smb.time
>                        |    Column #0   |
>Time                    |       LOAD     |
>0000.000000-0360.000000         0.462096
>0360.000000-0720.000000         0.100718
>0720.000000-1080.000000         0.096485
>1080.000000-1440.000000         0.035952
>1440.000000-1800.000000         0.080976
>1800.000000-2160.000000         0.008415
>============================================================================
>
>$ tshark -r test.pcap -qz "io,stat,720,LOAD(smb.time)smb.time"
>
>** (tshark.exe:2536): WARNING **: openSAFETY - SercosIII heuristic dissector
>can
>not be registered, openSAFETY/SercosIII native dissection.
>
>============================================================================
>IO Statistics
>Interval: 720.000000 secs
>Column #0: LOAD(smb.time)smb.time
>                        |    Column #0   |
>Time                    |       LOAD     |
>0000.000000-0720.000000         0.281407
>0720.000000-1440.000000         0.066218
>1440.000000-2160.000000         0.044695
>============================================================================
>
>$ tshark -v
>
>** (tshark.exe:2616): WARNING **: openSAFETY - SercosIII heuristic dissector
>can
>not be registered, openSAFETY/SercosIII native dissection.
>TShark 1.7.0-SVN-37568 (SVN Rev 37568 from /trunk)
>
>Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
>This is free software; see the source for copying conditions. There is NO
>warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
>Compiled (64-bit) with GLib 2.26.1, with WinPcap (version unknown), with
>libz
>1.2.5, without POSIX capabilities, without libpcre, without SMI, with c-ares
>1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6,
>without Kerberos, with GeoIP.
>
>Running on Windows Server 2003 x64 Edition Service Pack 1, build 3790, with
>WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap
version
>1.0 branch 1_0_rel0b (20091008).
>
>Built using Microsoft Visual C++ 9.0 build 21022
>
>
>On Mon, 6 Jun 2011 20:37:39 +1000 ronnie sahlberg wrote:
>>I have checked in to trunk an enhancement to add LOAD() stats to tshark
>too.
>>
>>LOAD() is shown as units of commands.
>>1.000 represents one I/O  which is different from the GUI graph where
>>one I/O is represented as 1000
>>
>>
>>
>>Looks like this:
>>
>>./tshark -n -r ../captures/smbwrite.cap -z
>>"io,stat,0.001,LOAD(smb.time)smb.time" -q
>>
>>...
>>
>>============================================================================
>>IO Statistics
>>Interval:   0.001000 secs
>>Column #0: LOAD(smb.time)smb.time
>>                        |    Column #0   |
>>Time                    |       LOAD     |
>>0000.000000-0000.001000         1.000000
>>0000.001000-0000.002000         0.741000
>>0000.002000-0000.003000         0.000000
>>
>>...
>>
>>
>>have fun
>>ronnie sahlberg
>>
>>On Mon, Jun 6, 2011 at 4:15 PM, ronnie sahlberg
>><ronniesahlberg@xxxxxxxxx> wrote:
>>> Hmm. ? tap-iostat.c for tshark does not support this.
>>>
>>> I must have had a private branch I forgot to commit.
>>>
>>>
>>> Ill have a look and see if i can locate it, or else I might just
>>> reimplement it again.
>>>
>>> regards
>>> ronnie sahlberg
>>>
>>>
>>> On Mon, Jun 6, 2011 at 3:46 AM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>>>> Are you referring to the presentation at the Storage Developer Conference
>>>> 2008:
>>>> slide 69 - ?LOAD graphs?
>>>>
>>>> Hopefully Ronnie Sahlberg reads your question...
>>>> I too like to know the answer.
>>>>
>>>> Best regards
>>>> Joke
>>>>
>>>> On Sun, 5 Jun 2011 17:05:27 +0300 Tal Bar-Or wrote:
>>>>>To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>>>>>Subject: Re: [Wireshark-users] tshark load query
>>>>
>>>>>Hello j.snelders
>>>>>
>>>>>Thanks you for the response , i did looked into the man-pages and saw
>>its
>>>>>not specified but recently i read RonnieSahlberg Using Wireshark For
>>>>>Analyzing CIFS
>>>>>Traffic PDF.
>>>>>
>>>>>And in the PDF he gives examples of tshark query and specifying that
>this
>>>>>kind of query is possible with tshark "*QUEUE DEPTH analysis can also
>>be
>>>>>done by tshark*." so this is why i am looking for it
>>>>>need it for a script that i am writing.
>>>>>
>>>>>Thanks
>>>>>
>>>>>
>>>>>On Sun, Jun 5, 2011 at 4:34 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>>>>>
>>>>>> Hi Tal Bar-Or,
>>>>>>
>>>>>> According to the man-pages this option is only available in Wireshark
>>>> and
>>>>>> not in TShark.
>>>>>>
>>>>>> http://www.wireshark.org/docs/man-pages/wireshark.html
>>>>>> "advanced..." If Unit:advanced... is selected the window will display
>>>> two
>>>>>> more controls for each of the five graphs. One control will be a menu
>>>> where
>>>>>> the type of calculation can be selected from SUM,COUNT,MAX,MIN,AVG
>and
>>>>>> LOAD,
>>>>>> and one control, textbox, where the name of a single display filter
>>field
>>>>>> can be specified.
>>>>>>
>>>>>> http://www.wireshark.org/docs/man-pages/tshark.html
>>>>>> io,stat can also do much more statistics and calculate COUNT(), SUM(),
>>>>>> MIN(),
>>>>>> MAX(), and AVG() using a slightly different filter syntax:
>>>>>>
>>>>>> ?[COUNT|SUM|MIN|MAX|AVG](<field>)<filter>
>>>>>>
>>>>>> My best
>>>>>> Joke
>>>>>>
>>>>>>
>>>>>>
>>>>>> >Date: Sun, 5 Jun 2011 14:33:54 +0300 Tal Bar-Or wrote:
>>>>>> >Hello all,
>>>>>> >
>>>>>> >I am trying to produce same query as sown in image with tshark.
>>>>>> >Please advice
>>>>>> >
>>>>>> >Thanks
>>>>>> >
>>>>>> >--
>>>>>> >Tal Bar-or