Wireshark mailing list archives
Re: summing tcp.time_delta
From: Stuart Kendrick <skendric () fhcrc org>
Date: Sun, 03 Jun 2012 07:00:45 -0700
Hi Sake,
OK, so I had missed the following instruction from the man page:
"NOTE: One important thing to note here is that the field that the
calculation is based on MUST also be part of the filter string or else
the calculation will fail."
and you have helped me to correct that. Thank you!
A question: Why include "-R tcp.stream==1" ? I'm thinking that, for
statistics calculation, I don't need a 'Read filter' ... since I'm
suppressing output with '-z' anyway.
[I'm getting the same output when I skip the '-R {filter' phrase.]
tshark -r http.cap -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta &&
tcp.stream==1 &&
ip.src==192.168.1.43),SUM(tcp.time_delta)(tcp.time_delta &&
tcp.stream==1 && ip.dst==192.168.1.43")
--sk
On 6/2/2012 2:24 AM, Sake Blok wrote:
Stuart, The read/display filter does not have an effect on the resulting data in the stats. You need to specify the filter in the stats definition. Here is an example: sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==1 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43),SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43)" ======================================================================================= | IO Statistics | | | | Interval size: 50.0 secs (dur) | | Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43) | | 2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) | |-------------------------------------------------------------------------------------| | |1 |2 | | | Interval | SUM | SUM | | |-------------------------------------| | | 0.0 <> 50.0 | 26.906796 | 1.299915 | | ======================================================================================= sake@macsake-wifi:~/Wireshark/pcap$ If I filter on something else, the sum still works, which shows that the read/display filter is not used in creating the io,stat statistics: sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==2 -qz "io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43),SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43)" ======================================================================================= | IO Statistics | | | | Interval size: 50.0 secs (dur) | | Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43) | | 2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) | |-------------------------------------------------------------------------------------| | |1 |2 | | | Interval | SUM | SUM | | |-------------------------------------| | | 0.0 <> 50.0 | 26.906796 | 1.299915 | | ======================================================================================= sake@macsake-wifi:~/Wireshark/pcap$ Hope this helps, Cheers, Sake On 2 jun 2012, at 00:49, Stuart Kendrick wrote:I have a trace of a client loading a large file via HTTP from a remote Web server, captured at the client. Takes ~7.5s. I was imagining that I could calculate how much time the client contributed to the transaction and compare this to how much time the server + network contributed. But I'm fumbling the calculation somehow ... I get the same result (~7.5s) regardless of whether I'm filtering on client-sourced frames or server-sourced frames. I would have expected the 7.5s to be divided between the two (~.5s for tcp.dstport==80 and ~7s for tcp.srcport==80). Tips? C:\Temp> tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta" ============================================ | IO Statistics | | | | Interval size: 7.572 secs (dur) | | Col 1: SUM(tcp.time_delta)tcp.time_delta | |------------------------------------------| | |1 | | | Interval | SUM | | |---------------------------| | | 0.000 <> 7.572 | 7.571759 | | ============================================ C:\Temp>tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.srcport==80)" -qz io,stat,600,"SUM(tcp.time_delta)tcp.time_delta" ============================================ | IO Statistics | | | | Interval size: 7.572 secs (dur) | | Col 1: SUM(tcp.time_delta)tcp.time_delta | |------------------------------------------| | |1 | | | Interval | SUM | | |---------------------------| | | 0.000 <> 7.572 | 7.571759 | | ============================================ --sk Stuart Kendrick FHCRC ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org <mailto:wireshark-users () wireshark org>> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- summing tcp.time_delta Stuart Kendrick (Jun 01)
- Re: summing tcp.time_delta Sake Blok (Jun 02)
- Re: summing tcp.time_delta Stuart Kendrick (Jun 03)
- Re: summing tcp.time_delta Sake Blok (Jun 03)
- Re: summing tcp.time_delta Stuart Kendrick (Jun 03)
- Re: summing tcp.time_delta Sake Blok (Jun 02)