Wireshark-users: Re: [Wireshark-users] Getting duration when using tshark -z conv
On Sat, 13 Sep 2008 09:19:05 +0100 James Talbut wrote:
>Unfortunately not, thanks.
>
>When I get conversation breakdowns from wireshark it gives me these
>columns:
>Address A Port A Address B Port B Packets Bytes Packets
>A->B Bytes A->B Packets A<-B Bytes A<-B Rel Start
>Duration bps A->B bps A<-B
>(saved as CSV from the conversations window)
>
>But when I get conversations from tshark it only has these:
> | <- | |
>-> | | Total |
> | Frames Bytes | |
>Frames Bytes | | Frames Bytes |
>
>I really want the Duration data so that I can roughly tell the consumed
>bandwidth of a given conversation.
>
>With wireshark generating the conversation breakdown takes about 5 times
>as long as with tshark, and with tshark taking over an hour that's a
>significant difference :)
>I can't even load the files on 32 bit Windows because it runs out of
>address space, but tshark uses much less memory too.
>
>What I'd like is for -z conv to give me exactly the same columns as
>wireshark.
Not AFAIK.
May be io,stat can help a bit.
Make sure you use the "." as a decimal symbol (regional settings).
You can play around with the interval (3600 seconds and higher) for your
6 hour cap-file ;-)
$ tshark -z io,stat,50,ip.addr==81.33.231.11,ip.addr==193.81.55.180 -q -r
test.pcap
===================================================================
IO Statistics
Interval: 50.000 secs
Column #0: ip.addr==81.33.231.11
Column #1: ip.addr==193.81.55.180
| Column #0 | Column #1
Time |frames| bytes |frames| bytes
000.000-050.000 0 0 0 0
050.000-100.000 0 0 0 0
100.000-150.000 0 0 0 0
150.000-200.000 0 0 0 0
200.000-250.000 0 0 0 0
250.000-300.000 0 0 386 330909
300.000-350.000 0 0 6 336
350.000-400.000 4583 4687982 831 719871
400.000-450.000 8524 8656229 3 168
===================================================================
Grtz
Joan
