Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 130, Issue 6
From: noah davids <ndav1@xxxxxxx>
Date: Sun, 12 Mar 2017 20:14:44 -0700

The problem with dns.time is that it seems to base its calculations on the last query not the first. For example, if query 1 goes unanswered and query 2 is sent with the same ID and then a query comes back dns.time calculates the time based on the second query. To me that is a little misleading.

In the following you can see that there are 5 seconds between the first and second query but dns.time is reported at under 2 ms. The 5 seconds is lost and is probably significant if you are looking at performance issues.

$ tshark -r dns.pcapng -Y "dns.id == 0xfc01" -T fields -e frame.time -e dns.id -e dns.qry.name -e dns.flags.response -e dns.time
Mar 12, 2017 05:41:59.259558974 MST    0x0000fc01    z.cdn.turner.com    0   
Mar 12, 2017 05:42:04.267468318 MST    0x0000fc01    z.cdn.turner.com    0   
Mar 12, 2017 05:42:04.269226257 MST    0x0000fc01    z.cdn.turner.com    1    0.001757939

The following while pretty ugly will produce a table using the first time for a given ID

tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1

filtering on just the example transaction ID yields

$ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1) | grep -E "fc01|ID"
ID          TYPE  Name                         Response-time       -  Query-time          =  Delta-time
0x0000fc01  28    z.cdn.turner.com:            05:42:04.269226257  -  05:41:59.259558974  =  5.00967

Note that this will not display a query that never gets an answer.

You can use gnuplot to plot them

$ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1) > /tmp/foo3; gnuplot -p -e "set xdata time; set timefmt \"%H:%M:%S\"; set format x \"%H:%M:%S\"; set logscale y 10; plot \"/tmp/foo3\" using 6:8; pause 300"; rm /tmp/foo3

Note that the pause 300 will give you 5 minutes to resize the window and have it scale correctly.




On 03/11/2017 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote:
------------------------------
Message: 2
Date: Fri, 10 Mar 2017 18:14:04 +0400
From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] How to draw DNS response time in I/O
	Graph
Message-ID:
	<CA+i03uScZn1bMf9_EZMvAk+kDW627kyDtPf+_sUD7EQWyYcUcQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

Hi

Doesn't this one help:
https://ask.wireshark.org/questions/3678/dns-transaction-latency?

Regards
Abhik


-- 
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth
 
If you  are not the intended recipient of this E-mail it  would be nice if you deleted
it and notified me  that you received it incorrectly.  On the other hand, E-mail is an
insecure mechanism; nothing in this E-mail can be considered confidential.

Backup copies of this E-mail can be requested from the NSA by sending an E-mail to
george.orwell@xxxxxxxxxxxxxxxxxx with the subject "Please recover E-mail" followed
by the date, subject  and original  sender's E-mail address. $3.14 will be debited
from one of your bank accounts for processing for each E-mail recovered.