Wireshark-users: Re: [Wireshark-users] Getting duration when using tshark -z conv
Unfortunately not, thanks.
When I get conversation breakdowns from wireshark it gives me these
columns:
Address A Port A Address B Port B Packets Bytes Packets
A->B Bytes A->B Packets A<-B Bytes A<-B Rel Start
Duration bps A->B bps A<-B
(saved as CSV from the conversations window)
But when I get conversations from tshark it only has these:
| <- | |
-> | | Total |
| Frames Bytes | |
Frames Bytes | | Frames Bytes |
I really want the Duration data so that I can roughly tell the consumed
bandwidth of a given conversation.
With wireshark generating the conversation breakdown takes about 5 times
as long as with tshark, and with tshark taking over an hour that's a
significant difference :)
I can't even load the files on 32 bit Windows because it runs out of
address space, but tshark uses much less memory too.
What I'd like is for -z conv to give me exactly the same columns as
wireshark.
Thanks
Jim
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> j.snelders@xxxxxxxxxx
> Sent: 12 September 2008 21:11
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Getting duration when using
> tshark -z conv
>
> Hi Jim,
>
> Is this what you are looking for?
>
> You can use -o column.format for various time formats:
> tshark -o column.format:""No.", "%m", "Time", "%Yt", "Time",
> "%Tt", "Time", "%Rt", "Protocol", "%p", "Length", "%L"" -z
> conv,tcp -r test.cap > test2.txt
> Output:
> 1 2008-09-12 20:48:14.296642 0.000000 0.000000 ARP 42
> 2 2008-09-12 20:48:14.296912 0.000270 0.000270 ARP 60
> <snip>
> 13 2008-09-12 20:48:14.349701 0.000035 0.053059 TCP 54
> 14 2008-09-12 20:48:17.116150 2.766449 2.819508 TCP 54
> ==============================================================
> ==================
> TCP Conversations
> Filter:<No Filter>
> | <-
> | |
> -> | | Total |
> | Frames
> Bytes | | Frames Bytes | | Frames Bytes |
> 192.168.1.44:1286 <-> 209.85.129.99:80 5
> 3151 5
> 705 10 3856
> ==============================================================
> ==================
>
>
> For time formats take a look at:
> http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c
> "%Yt", /* 1) COL_ABS_DATE_TIME */
> "%At", /* 2) COL_ABS_TIME */
>
> "%Tt", /* 11) COL_DELTA_TIME */
> "%dct", /* 12) COL_DELTA_CONV_TIME */
> "%Gt", /* 13) COL_DELTA_TIME_DIS */
>
> "%Rt", /* 49) COL_REL_TIME */
> "%rct", /* 50) COL_REL_CONV_TIME */
>
> "%t", /* 58) COL_CLS_TIME */
>
>
> To print other columns:
> tshark -o column.format:""No.", "%m", "Time", "%Yt", "Time",
> "%Tt", "Time", "%Rt", "Source", "%s", "Destination", "%d",
> "Protocol", "%p", "Info", "%i", "Length", "%L"" -z conv,tcp
> -r test.cap > test.txt
>
>
> You can use capinfos for a summery:
> $ capinfos -aeu test.cap
> File name: test.cap
> Capture duration: 2.819508 seconds
> Start time: Fri Sep 12 20:48:14 2008
> End time: Fri Sep 12 20:48:17 2008
>
> HTH
> Joan
>
>
> On 12 Sep 2008 James Talbut wrote:
> > I'm processing gigabyte packet captures and it takes about
> 6 hours to
> > generate the conversation table in wireshark or about one
> hour using tshark.
> > But the tshark table doesn't include the time columns.
> > Is there any configuration for changing this?
>
>
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
________________________________________________________________________
This e-mail, and any attachment, is confidential. If you have received it in error, do not use or disclose the information in any way, notify me immediately, and please delete it from your system.
________________________________________________________________________