Wireshark-bugs: [Wireshark-bugs] [Bug 8720] New: tshark -qz io, stat output inconsistent
Date: Sun, 26 May 2013 21:39:55 +0000
Bug ID | 8720 |
---|---|
Summary | tshark -qz io,stat output inconsistent |
Classification | Unclassified |
Product | Wireshark |
Version | 1.10.0 |
Hardware | x86 |
OS | Windows 7 |
Status | UNCONFIRMED |
Severity | Minor |
Priority | Low |
Component | TShark |
Assignee | bugzilla-admin@wireshark.org |
Reporter | skendric@fhcrc.org |
Created attachment 10843 [details]
Example of trace for which -qz io,stat works as predicted
Build Information:
1.10.0rc2
Windows 7 64 bit
--
I'm skeptical that tshark reliably calculates tcp.time_delta using the -qz
io,stat parameters.
HTTP-GOOD.PCAPNG
In this trace, I capture close to the Client (140.107.9.116), downloading a
file via HTTP from a Server (140.107.74.123) located across a WAN pipe.
Example #1
Here, I ask tshark to sum all the DeltaTs in the trace -- this should equal the
total duration of the trace.
tshark -r http-good.pcapng -o tcp.calculate_timestamps:TRUE -qz
io,stat,0,SUM(tcp.time_delta)tcp.time_delta
===============================================
| IO Statistics |
| |
| Interval size: 0.200 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta |
|---------------------------------------------|
| |1 |2 |
| Interval | Frames | Bytes | SUM |
|---------------------------------------------|
| 0.000 <> 0.200 | 483 | 462710 | 0.200125 |
===============================================
On the surface, this looks plausible: 'Interval size' (duration) = .200s, and
the SUM of all DeltaTs = .200125s
The Wireshark GUI confirms that the trace lasts for .200s
Example #2
Here I ask tshark to sum all the DeltaTs for the Server, i.e. to calculate how
long the Server (+ Network) spent turning around frames:
tshark -r http-good.pcapng -o tcp.calculate_timestamps:TRUE -qz
"io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==80"
================================================================
| IO Statistics |
| |
| Interval size: 0.200 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==80 |
|--------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|---------------------------------------------| |
| 0.000 <> 0.200 | 483 | 462710 | 0.193655 | |
================================================================
Again, this looks plausible, and using Excel, I confirm this SUM.
Example #3
Finally, I ask tshark to sum all the DeltaTs for the Client.
tshark -r http-good.pcapng -o tcp.calculate_timestamps:TRUE -qz
"io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==80"
================================================================
| IO Statistics |
| |
| Interval size: 0.200 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==80 |
|--------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|---------------------------------------------| |
| 0.000 <> 0.200 | 483 | 462710 | 0.006470 | |
================================================================
The result looks plausable, and Excel confirms the calculation.
Also, .193655s + .006470s = .200125s, so the three Examples are
self-consistent.
HTTPD-BAD.PCAPNG
In the bad case, I have captured again close to the Client (140.107.203.6),
which is engaged in multiple conversations with the Server (209.124.184.143).
Example #4
As before, I ask tshark to sum all the DeltaTs in the trace.
tshark -r http-bad.pcapng -o tcp.calculate_timestamps:TRUE -qz
io,stat,0,SUM(tcp.time_delta)tcp.time_delta
==============================================
| IO Statistics |
| |
| Interval size: 11.1 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta |
|--------------------------------------------|
| |1 |2 |
| Interval | Frames | Bytes | SUM |
|--------------------------------------------|
| 0.0 <> 11.1 | 473 | 349155 | 23.817352 |
==============================================
But this time, the result is not plausible: the trace lasts 11.s, yet the sum
of all DeltaTs is more than twice that, at 23.817352s
The GUI confirms that the total trace time is ~11.1s, ditto with Excel.
Example #5
Here, I ask tshark to sum all the DeltaTs for frames emitted by the Client:
tshark -r http-bad.pcapng -o tcp.calculate_timestamps:TRUE -qz "i
o,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==80"
================================================================
| IO Statistics |
| |
| Interval size: 11.1 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.dstport==80 |
|--------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|--------------------------------------------| |
| 0.0 <> 11.1 | 473 | 349155 | 22.416886 | |
================================================================
Again, the results are not plausible.
Example #6
Ditto for asking tshark to sum all the DeltaTs for frames emitted by the
Server.
tshark -r http-bad.pcapng -o tcp.calculate_timestamps:TRUE -qz
"io,stat,0,SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==80"
================================================================
| IO Statistics |
| |
| Interval size: 11.1 secs (dur) |
| Col 1: Frames and bytes |
| 2: SUM(tcp.time_delta)tcp.time_delta and tcp.srcport==80 |
|--------------------------------------------------------------|
| |1 |2 | |
| Interval | Frames | Bytes | SUM | |
|-------------------------------------------| |
| 0.0 <> 11.1 | 473 | 349155 | 1.400466 | |
================================================================
At least the Sums are internally consistent:
22.416886s + 1.400466s = 23.817352s
And the direction is consistent: I know from other analysis that in this
example the Client contributes almost all of the trace time, so I am
unsurprised that the Client Time (1.400466s) is substantially less than the
Server Time (22.416886). But since the total trace time is only ~11.1s, I am
skeptical of both Sums.
AVERAGE
Let's try the AVERAGE function:
httpd-good.pcapng
tshark -r http-good.pcapng -o tcp.calculate_timestamps:TRUE -qz
io,stat,0,AVG(tcp.time_delta)tcp.time_delta
===============================================
| IO Statistics |
| |
| Interval size: 0.200 secs (dur) |
| Col 1: Frames and bytes |
| 2: AVG(tcp.time_delta)tcp.time_delta |
|---------------------------------------------|
| |1 |2 |
| Interval | Frames | Bytes | AVG |
|---------------------------------------------|
| 0.000 <> 0.200 | 483 | 462710 | 0.000414 |
===============================================
The result is plausible ... and Excel concurs, telling me that the Average is
.000414
httpd-bad.pcapng
tshark -r http-bad.pcapng -o tcp.calculate_timestamps:TRUE -qz
io,stat,0,AVG(tcp.time_delta)tcp.time_delta
=============================================
| IO Statistics |
| |
| Interval size: 11.1 secs (dur) |
| Col 1: Frames and bytes |
| 2: AVG(tcp.time_delta)tcp.time_delta |
|-------------------------------------------|
| |1 |2 |
| Interval | Frames | Bytes | AVG |
|-------------------------------------------|
| 0.0 <> 11.1 | 473 | 349155 | 0.050354 |
=============================================
Again, this result is plausible ... but Excel disagrees; Excel calculates an
Average of .023518s
I will attach to this bug:
http-good.pcapng
http-good.csv
http-good.xlsx
http-bad.pcapng
http-bad.csv
httpd-bad.xlsx
--sk
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- Prev by Date: [Wireshark-bugs] [Bug 8718] ZigBee ZCL Identify cluster not managed
- Next by Date: [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- Previous by thread: [Wireshark-bugs] [Bug 8522] Add heuristic to dissect DVB-S2 over ethernet
- Next by thread: [Wireshark-bugs] [Bug 8720] tshark -qz io, stat output inconsistent
- Index(es):