Wireshark · Ethereal-dev: [Ethereal-dev] SMB Response Time Graph

Ethereal-dev: [Ethereal-dev] SMB Response Time Graph - smbplot

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin (Sydney)" <martin.visser@xxxxxx>

Date: Mon, 19 May 2003 07:50:35 +1000

In response to the challenge from Ronnie, I decided to develop the
attached perl script - smbplot. Basically I think it does a fairly nice
job of producing a graph from the io,stat output for smb.time. It
usefully plots average RTT as well the range of RTT for each sample
interval (as Ronnie suggested). Optionally you overly the SMB protocol
bytes throughput.

I have chosen to use Ploticus <http://ploticus.sourceforge.net/> rather
than Gnuplot. The remain reason is there is that Ploticus seems to
produce a nicer output, and also will be a more suitable candidate for
other ideas I want to pursue in the future. (It has piecharts, can
produce SVG and also produce imagemap to allow interaction with the
charts)

Anyway grab a copy of ploticus and try the script out. I have also
attached a GIF from some data I had.

BTW To date I have only tested it on Windows running Cygwin and Perl.
(I'll test this on Linux in the next day or two).

Any feedback will be appreciated. (Next feature for this will be to
produce a histogram showing the range of response times for the whole
sample period. I will also aim to produce a collection of tools such as
protocol (or other categorisation), and some more generic response time
graphs). 

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com



-----Original Message-----
From: Visser, Martin (Sydney) 
Sent: Tuesday, 29 April 2003 4:06 PM
To: 'Ronnie Sahlberg'; ethereal-dev@xxxxxxxxxxxx
Subject: RE: [Ethereal-dev] Updates to io-stat calculations


That sounds like a challenge that I have been planning on taking for a
while. I'll see what I can do in my "spare time" (is there such a thing
:-)  )

 

Martin Visser
Network Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com



-----Original Message-----
From: Ronnie Sahlberg [mailto:ronnie_sahlberg@xxxxxxxxxxxxxx] 
Sent: Monday, 28 April 2003 6:57 PM
To: Visser, Martin (Sydney); ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] Updates to io-stat calculations


Very pretty graphs
but there seems to be some semi-serious issues with it.

First it seems it only looks at the TCP layer and thus should only be
able to produce the graphs reliably iff the client is singlethreaded
(only does one command at a time) compared to ehtereal's measurements
that are based on data in the actual smb/oncrpc/dcerpc/... layers.


But the graphs sure looks very much better than the ethereal ones.

It would be very useful if someone hacked up some scripts to take the
output from tethereal -z io,stat,0.010,MIN/MAX/AVG(smb.time)smb.time...
did some grep and sed magic on it and fed it into gnuplot to generate
nice PNGs with smoothed graphs.

This would be a very useful thing.


----- Original Message -----
From: "Visser, Martin (Sydney)"
Sent: Monday, April 28, 2003 11:31 AM
Subject: RE: [Ethereal-dev] Updates to io-stat calculations


While not a "sniffer" per-se , Packeteer PacketShaper does quite a nice
job of plotting response times etc using histogram buckets. PacketShaper
inspects and records stats for all traffic that match "classes", and in
this case those that you nominate to record response time. It also does
some interesting calculations to work out network time-of-flight and
server response (by comparing SYN-ACK response with normal payload
response time)

Graphically results are output as attached (for telnet traffic on a link
to a particular site

There is some info on the function at
http://support.packeteer.com/documentation/packetguide/current/nav/tasks
/rtm/monitor-rtm.htm a

And the tech details on RTM calcs at
http://support.packeteer.com/documentation/packetguide/current/info/rtm-
technical-details.htm


Martin Visser
Network Consultant
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com



-----Original Message-----
From: Ronnie Sahlberg [mailto:ronnie_sahlberg@xxxxxxxxxxxxxx]
Sent: Thursday, 24 April 2003 10:47 PM
To: ethereal-dev@xxxxxxxxxxxx
Subject: [Ethereal-dev] Updates to io-stat calculations


I just checked in some updates to tethereal io-stat calculations.
Tethereal can now, in addition ot frames/bytes counts, also calculate
COUNT,SUM,MIN,MAX,AVG for several types of fields.

Please see manual page for tethereal.


Example:
tethereal ... -z
"io,stat,0.100,ip.addr==1.1.1.1&&smb.time,MIN(smb.time)ip.addr==1.1.1.1&
&smb
.time,MAX(smb.time)ip.addr==1.1.1.1&&smb.time,AVG(smb.time)ip.addr==1.1.
1.1&
&smb.time"

This will calculate statistics in 100ms intervals for all smb responses
to/from the host at 1.1.1.1. (only response packets have the smb.time
field)

The output will be presented in 4 columns:
Column1:   number of frames/bytes for all such response packets.
Column2:  MINimum response time seen in the interval
Column3:  MAXimum response time seen in the interval.
Column4:  AVeraGe response time seen in the interval.


The output should be simple to convert with some sed magic into
something excel or any other application capable of producing graphs can
import.


Note that the example above is simplified and may not be useful in real
world since some SMB commands will normally have very long response
times (i.e. NOTIFY which normally can take minutes/hours to complete)
which will poison the data. It may be nessecary to enhance the filter to
remove the influence from those calls.


Other interesting protocols to plot the response time for like this is
probably nfs (rpc.time) and dcerpc.time.


Any other sniffer capable of plotting min/max/average response time from
a specific client over time?

have fun.
   ronnie sahlberg


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Attachment: smbplot.gif
Description: smbplot.gif

Attachment: smbplot
Description: smbplot

Attachment: smbplot.gif
Description: smbplot.gif

Follow-Ups:
- Re: [Ethereal-dev] SMB Response Time Graph - smbplot
  - From: Ronnie Sahlberg

Prev by Date: [Ethereal-dev] BGP Extended Community update
Next by Date: Re: [Ethereal-dev] Compiling on Windows 2000
Previous by thread: Re: [Ethereal-dev] BGP Extended Community update
Next by thread: Re: [Ethereal-dev] SMB Response Time Graph - smbplot
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$