Wireshark-bugs: [Wireshark-bugs] [Bug 8647] SUM(tcp.time_delta)tcp.time_delta incorrect
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 19 May 2013 20:43:45 +0000

Comment # 13 on bug 8647 from 
> I think you want smb2.time - there are no smb1 packets in the capture :)

Ahh.  Good point.  :)

tshark -r file-copy.pcap -qz "io,stat,0,AVG(smb2.time)smb2.time"
===============================================
| IO Statistics                               |
|                                             |
| Interval size: 51.8 secs (dur)              |
| Col 1: Frames and bytes                     |
|     2: AVG(smb2.time)smb2.time              |
|---------------------------------------------|
|              |1                  |2         |
| Interval     | Frames |   Bytes  |    AVG   |
|---------------------------------------------|
|  0.0 <> 51.8 |  18972 | 26654645 | 0.048863 |
===============================================


> I'm not sure what you mean. In your original report you used the GUI's FBAR
> to get the same results, so has it suddenly stopped working in 1.10?

Yes, that is what I am claiming.

> Looking at the screenshots in your PDF I want to blame this on Windows
> having confusing widgets - I don't think you have Graph 1 enabled (even
> though it's blue from being the selected widget, the button doesn't appear
> depressed).

I agree that the Windows GUI widgets have confused me in the past ... though I
am clicking on the 'Graph 1' button right now, with no apparent effect.

[...]

> > On p.16 of that document, I demonstrated how to use tshark to perform this
> > calculation ... using a Display Filter ('-R') rather than an io,stat filter
> > ... perhaps I was simply propagating inaccurate information, perhaps tshark
> > behaved differently back then (v1.7.1)
> 
> I wasn't a dev back then, so I honestly don't know. I do know that tshark's
> filtering flags have been rewritten a few times and have been subtly
> different each time, so it wouldn't surprise me if that use to work. The
> current behaviour is intended though - it just needs better documentation.

Occurred to me that I can re-run this experiment using the traces from that
article ... i.e. comparing 1.7.1 to 1.10.0

[I do this ... omitting the specifics here ...]
And the results support the idea that tshark, using the syntax you've
suggested, delivers accurate results.

Which suggests that something is different about the Akamai/http case I
sketched earlier today, perhaps I'm fumbling something.

--sk

You are receiving this mail because:
  • You are watching all bug changes.