Re: Wireshark-users Digest, Vol 130, Issue 6

[noah davids <ndav1 () cox net>]

The problem with dns.time is that it seems to base its calculations on
the last query not the first. For example, if query 1 goes unanswered
and query 2 is sent with the same ID and then a query comes back
dns.time calculates the time based on the second query. To me that is a
little misleading.

In the following you can see that there are 5 seconds between the first
and second query but dns.time is reported at under 2 ms. The 5 seconds
is lost and is probably significant if you are looking at performance
issues.

|$ tshark -r dns.pcapng -Y "dns.id == 0xfc01" -T fields -e frame.time -e
dns.id -e dns.qry.name -e dns.flags.response -e dns.time||
||Mar 12, 2017 05:41:59.259558974 MST    0x0000fc01   
z.cdn.turner.com    0    ||
||Mar 12, 2017 05:42:04.267468318 MST    0x0000fc01   
z.cdn.turner.com    0    ||
||Mar 12, 2017 05:42:04.269226257 MST    0x0000fc01   
z.cdn.turner.com    1    0.001757939|

The following while pretty ugly will produce a table using the first
time for a given ID

|tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e
frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e
dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time =
Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort
-u | while read id name type; do echo $id $type $name: $( grep
$id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' |
head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2
" " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" "
" | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm
/tmp/foo; rm /tmp/foo1||
|

filtering on just the example transaction ID yields

|$ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch
-e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e
dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time =
Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort
-u | while read id name type; do echo $id $type $name: $( grep
$id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' |
head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2
" " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" "
" | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm
/tmp/foo; rm /tmp/foo1) | grep -E "fc01|ID"
ID          TYPE  Name                         Response-time       - 
Query-time          =  Delta-time
0x0000fc01  28    z.cdn.turner.com:            05:42:04.269226257  - 
05:41:59.259558974  =  5.00967
|||
Note that this will not display a query that never gets an answer.

You can use gnuplot to plot them

$ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e
frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e
dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time =
Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort
-u | while read id name type; do echo $id $type $name: $( grep
$id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' |
head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2
" " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" "
" | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm
/tmp/foo; rm /tmp/foo1) > /tmp/foo3; gnuplot -p -e "set xdata time; set
timefmt \"%H:%M:%S\"; set format x \"%H:%M:%S\"; set logscale y 10; plot
\"/tmp/foo3\" using 6:8; pause 300"; rm /tmp/foo3

Note that the pause 300 will give you 5 minutes to resize the window and
have it scale correctly.




On 03/11/2017 05:00 AM, wireshark-users-request () wireshark org wrote:
> ------------------------------
> Message: 2
> Date: Fri, 10 Mar 2017 18:14:04 +0400
> From: Abhik Sarkar <sarkar.abhik () gmail com>
> To: Community support list for Wireshark
>       <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] How to draw DNS response time in I/O
>       Graph
> Message-ID:
>       <CA+i03uScZn1bMf9_EZMvAk+kDW627kyDtPf+_sUD7EQWyYcUcQ () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> Doesn't this one help:
> https://ask.wireshark.org/questions/3678/dns-transaction-latency?
>
> Regards
> Abhik

-- 
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth
 
If you  are not the intended recipient of this E-mail it  would be nice if you deleted
it and notified me  that you received it incorrectly.  On the other hand, E-mail is an
insecure mechanism; nothing in this E-mail can be considered confidential.

Backup copies of this E-mail can be requested from the NSA by sending an E-mail to
george.orwell () prisim oceania gov with the subject "Please recover E-mail" followed
by the date, subject  and original  sender's E-mail address. $3.14 will be debited
from one of your bank accounts for processing for each E-mail recovered.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe