Wireshark-users: Re: [Wireshark-users] summing tcp.time_delta
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 2 Jun 2012 11:24:29 +0200
Stuart,

The read/display filter does not have an effect on the resulting data in the stats. You need to specify the filter in the stats definition. Here is an example:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==1 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

If I filter on something else, the sum still works, which shows that the read/display filter is not used in creating the io,stat statistics:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==2 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

Hope this helps,
Cheers,


Sake



On 2 jun 2012, at 00:49, Stuart Kendrick wrote:

I have a trace of a client loading a large file via HTTP from a remote Web server, captured at the client.  Takes ~7.5s.

I was imagining that I could calculate how much time the client contributed to the transaction and compare this to how much time the server + network contributed.  But I'm fumbling the calculation somehow ... I get the same result (~7.5s) regardless of whether I'm filtering on client-sourced frames or server-sourced frames.  I would have expected the 7.5s to be divided between the two (~.5s for tcp.dstport==80 and ~7s for tcp.srcport==80).  Tips?

C:\Temp> tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================

C:\Temp>tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.srcport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================


--sk


Stuart Kendrick
FHCRC


  
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe