The problem with dns.time is that it seems to base its calculations on the last query not the first. For example, if query 1 goes unanswered and query 2 is sent with the same ID and then a query comes back dns.time calculates the time based on the second query. To me that is a little misleading. In the following you can see that there are 5 seconds between the
first and second query but dns.time is reported at under 2 ms. The
5 seconds is lost and is probably significant if you are looking
at performance issues.
The following while pretty ugly will produce a table using the
first time for a given ID
$ (tshark -r dns.pcapng -T fields -e frame.number -e
frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e
dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name
Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8
" " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do
echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk
'{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep
$id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " "
$6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " |
awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm
/tmp/foo; rm /tmp/foo1) | grep -E "fc01|ID"
Note that this will not display a query that never gets an answer. You can use gnuplot to plot them $ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1) > /tmp/foo3; gnuplot -p -e "set xdata time; set timefmt \"%H:%M:%S\"; set format x \"%H:%M:%S\"; set logscale y 10; plot \"/tmp/foo3\" using 6:8; pause 300"; rm /tmp/foo3 Note that the pause 300 will give you 5 minutes to resize the window and have it scale correctly. On 03/11/2017 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote: ------------------------------Message: 2 Date: Fri, 10 Mar 2017 18:14:04 +0400 From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] How to draw DNS response time in I/O Graph Message-ID: <CA+i03uScZn1bMf9_EZMvAk+kDW627kyDtPf+_sUD7EQWyYcUcQ@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hi Doesn't this one help: https://ask.wireshark.org/questions/3678/dns-transaction-latency? Regards Abhik -- Noah Davids =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Serendipity is a function of bandwidth If you are not the intended recipient of this E-mail it would be nice if you deleted it and notified me that you received it incorrectly. On the other hand, E-mail is an insecure mechanism; nothing in this E-mail can be considered confidential. Backup copies of this E-mail can be requested from the NSA by sending an E-mail to george.orwell@xxxxxxxxxxxxxxxxxx with the subject "Please recover E-mail" followed by the date, subject and original sender's E-mail address. $3.14 will be debited from one of your bank accounts for processing for each E-mail recovered. |
- Prev by Date: Re: [Wireshark-users] Wireshark noob
- Next by Date: [Wireshark-users] FW: Wireshark 1.10.5
- Previous by thread: Re: [Wireshark-users] Wireshark noob
- Next by thread: [Wireshark-users] How to install Wireshark network analyzer on Fedora
- Index(es):