Wireshark-users: Re: [Wireshark-users] summing tcp.time_delta
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 3 Jun 2012 23:58:16 +0200
Hi Stuart,

Oops, it s unnecessary indeed... *unless* you omit the -q to also view the contents of the tcp.stream :-)

Sake


On 3 jun 2012, at 16:00, Stuart Kendrick wrote:

Hi Sake,

OK, so I had missed the following instruction from the man page:
"NOTE: One important thing to note here is that the field that the calculation is based on MUST also be part of the filter string or else the calculation will fail."
and you have helped me to correct that.  Thank you!

A question:  Why include "-R tcp.stream==1"   ?   I'm thinking that, for statistics calculation, I don't need a 'Read filter' ... since I'm suppressing output with '-z' anyway.

[I'm getting the same output when I skip the '-R {filter' phrase.]

tshark -r http.cap -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43")

--sk



On 6/2/2012 2:24 AM, Sake Blok wrote:
Stuart,

The read/display filter does not have an effect on the resulting data in the stats. You need to specify the filter in the stats definition. Here is an example:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==1 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

If I filter on something else, the sum still works, which shows that the read/display filter is not used in creating the io,stat statistics:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==2 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src="" |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

Hope this helps,
Cheers,


Sake



On 2 jun 2012, at 00:49, Stuart Kendrick wrote:

I have a trace of a client loading a large file via HTTP from a remote Web server, captured at the client.  Takes ~7.5s.

I was imagining that I could calculate how much time the client contributed to the transaction and compare this to how much time the server + network contributed.  But I'm fumbling the calculation somehow ... I get the same result (~7.5s) regardless of whether I'm filtering on client-sourced frames or server-sourced frames.  I would have expected the 7.5s to be divided between the two (~.5s for tcp.dstport==80 and ~7s for tcp.srcport==80).  Tips?

C:\Temp> tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================

C:\Temp>tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.srcport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"

 

============================================

| IO Statistics                            |

|                                          |

| Interval size: 7.572 secs (dur)          |

| Col 1: SUM(tcp.time_delta)tcp.time_delta |

|------------------------------------------|

|                |1         |              |

| Interval       |    SUM   |              |

|---------------------------|              |

| 0.000 <> 7.572 | 7.571759 |              |

============================================


--sk


Stuart Kendrick
FHCRC


            
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe