Wireshark · Wireshark-users: Re: [Wireshark-users] use of -z io,stat

Wireshark-users: Re: [Wireshark-users] use of -z io,stat

From: Stuart Kendrick <skendric@xxxxxxxxx>

Date: Thu, 30 May 2013 06:08:46 -0700

Ahhh, I see -- I was confusing frame.time_delta with tcp_time_delta

Thank you,

--sk

On 5/29/2013 2:19 PM, Sake Blok wrote:
> Stuart,
>
> If you would have used frame.time_delta, it would have worked, however, tcp.time_delta is a delta time within the TCP conversation, so if there are more TCP sessions at the same time, you can end up with more time delta in the io stat then the capture time.
>
> Example:
>
> Frame 1, tcp stream 0, frame.time_relative = 0.000, frame.time_delta = 0.000, tcp.time_delta = 0.000
> Frame 2, tcp stream 1, frame.time_relative = 0.100, frame.time_delta = 0.100, tcp.time_delta = 0.000
> Frame 3, tcp stream 0, frame.time_relative = 1.000, frame.time_delta = 0.900, tcp.time_delta = 1.000
> Frame 4, tcp stream 1, frame.time_relative = 1.100, frame.time_delta = 0.100, tcp.time_delta = 1.000
>
> Sum frame.time_delta = 1.100, sum tcp.time_delta = 2.000
>
> Cheers,
> Sake
>
>
> On 26 mei 2013, at 17:42, Stuart Kendrick wrote:
>
>> I'm trying to teach myself how to use the '-z io,stat' options in tshark
>>
>> I was imagining that the following would tell me how many seconds the trace covers
>>
>> tshark -r sample-http.pcapng -o tcp.calculate_timestamps:TRUE -qz "io,stat,0,SUM(tcp.time_delta)tcp.time_delta"
>>
>> =============================================
>> | IO Statistics                             |
>> |                                           |
>> | Interval size: 11.1 secs (dur)            |
>> | Col 1: Frames and bytes                   |
>> |     2: SUM(tcp.time_delta)tcp.time_delta  |
>> |-------------------------------------------|
>> |              |1               |2          |
>> | Interval     | Frames | Bytes |    SUM    |
>> |-------------------------------------------|
>> |  0.0 <> 11.1 |    216 | 45453 | 23.817352 |
>> =============================================
>>
>> capinfos sample-http.pcapng
>> File name:           sample-http.pcapng
>> [...]
>> File size:           53 kB
>> Data size:           45 kB
>> Capture duration:    11 seconds
>> [...]
>>
>> But apparently not:  '23.817352' does not equal '11 seconds'
>>
>> https://vishnu.fhcrc.org/wireshark/sample-http.pcapng
>> I'm using wireshark 1.10.0rc2
>>
>> What am I not understanding about this '-z io,stat' feature?
>>
>> --sk
>>
>> Stuart Kendrick
>> FHCRC
>>
>> P.S.
>>
>> My actual use case will be more complex than this.  This trace was taken next to the Client.  
>> I want to calculate how much time the Client spent thinking:
>> tshark -r sample-http.pcapng -o tcp.calculate_timestamps:TRUE -qz "io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==80"
>>
>> and how much time the Network + Server spent thinking:
>> tshark -r sample-http.pcapng -o tcp.calculate_timestamps:TRUE -qz "io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==80"
>>
>> To give myself insights into how much of the total transaction time the Client is contributing versus that of the Network + Server.
>>
>> But I figure that if I cannot even persuade tshark to sum every value in the DeltaT column, then I'm not ready to progress to the real-world use case.
>>
>>
>> P.P.S.
>> The Average function gives me a plausible answer:
>>
>> tshark -r sample-http.pcapng -o tcp.calculate_timestamps:TRUE -qz "io,stat,0,AVG(tcp.time_delta)tcp.time_delta"
>>
>> =============================================
>> | IO Statistics                             |
>> |                                           |
>> | Interval size: 11.1 secs (dur)            |
>> | Col 1: Frames and bytes                   |
>> |     2: AVG(tcp.time_delta)tcp.time_delta  |
>> |-------------------------------------------|
>> |              |1                |2         |
>> | Interval     | Frames |  Bytes |    AVG   |
>> |-------------------------------------------|
>> |  0.0 <> 11.1 |    473 | 349155 | 0.050354 |
>> =============================================
>>
>>
>> But when I sanity-check this calculation using Excel, I see a different result:
>> 0.023518s
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] use of -z io,stat
  - From: Stuart Kendrick
- Re: [Wireshark-users] use of -z io,stat
  - From: Sake Blok

Prev by Date: [Wireshark-users] Editcap 1.2.15 not working
Previous by thread: Re: [Wireshark-users] use of -z io,stat
Next by thread: Re: [Wireshark-users] use of -z io,stat
Index(es):
- Date
- Thread