Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: summing tcp.time_delta

From: Sake Blok <sake () euronet nl>
Date: Sat, 2 Jun 2012 11:24:29 +0200
Stuart,

The read/display filter does not have an effect on the resulting data in the stats. You need to specify the filter in 
the stats definition. Here is an example:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==1 -qz 
"io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && 
ip.src==192.168.1.43),SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43) |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

If I filter on something else, the sum still works, which shows that the read/display filter is not used in creating 
the io,stat statistics:

sake@macsake-wifi:~/Wireshark/pcap$ tshark -r http.cap -R tcp.stream==2 -qz 
"io,stat,0,SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && 
ip.src==192.168.1.43),SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43)"

=======================================================================================
| IO Statistics                                                                       |
|                                                                                     |
| Interval size: 50.0 secs (dur)                                                      |
| Col 1: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.src==192.168.1.43) |
|     2: SUM(tcp.time_delta)(tcp.time_delta && tcp.stream==1 && ip.dst==192.168.1.43) |
|-------------------------------------------------------------------------------------|
|              |1          |2         |                                               |
| Interval     |    SUM    |    SUM   |                                               |
|-------------------------------------|                                               |
|  0.0 <> 50.0 | 26.906796 | 1.299915 |                                               |
=======================================================================================
sake@macsake-wifi:~/Wireshark/pcap$ 

Hope this helps,
Cheers,


Sake



On 2 jun 2012, at 00:49, Stuart Kendrick wrote:


I have a trace of a client loading a large file via HTTP from a remote Web server, captured at the client.  Takes 
~7.5s.

I was imagining that I could calculate how much time the client contributed to the transaction and compare this to 
how much time the server + network contributed.  But I'm fumbling the calculation somehow ... I get the same result 
(~7.5s) regardless of whether I'm filtering on client-sourced frames or server-sourced frames.  I would have expected 
the 7.5s to be divided between the two (~.5s for tcp.dstport==80 and ~7s for tcp.srcport==80).  Tips?

C:\Temp> tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.dstport==80)" -qz 
io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"
 
============================================
| IO Statistics                            |
|                                          |
| Interval size: 7.572 secs (dur)          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 7.572 | 7.571759 |              |
============================================

C:\Temp>tshark -nlr client.pcap -o tcp.calculate_timestamps:TRUE -R "(tcp.srcport==80)" -qz 
io,stat,600,"SUM(tcp.time_delta)tcp.time_delta"
 
============================================
| IO Statistics                            |
|                                          |
| Interval size: 7.572 secs (dur)          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 7.572 | 7.571759 |              |
============================================

--sk


Stuart Kendrick
FHCRC
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: