Wireshark mailing list archives
Re: Wireshark-users Digest, Vol 130, Issue 6
From: noah davids <ndav1 () cox net>
Date: Sun, 12 Mar 2017 20:14:44 -0700
The problem with dns.time is that it seems to base its calculations on the last query not the first. For example, if query 1 goes unanswered and query 2 is sent with the same ID and then a query comes back dns.time calculates the time based on the second query. To me that is a little misleading. In the following you can see that there are 5 seconds between the first and second query but dns.time is reported at under 2 ms. The 5 seconds is lost and is probably significant if you are looking at performance issues. |$ tshark -r dns.pcapng -Y "dns.id == 0xfc01" -T fields -e frame.time -e dns.id -e dns.qry.name -e dns.flags.response -e dns.time|| ||Mar 12, 2017 05:41:59.259558974 MST 0x0000fc01 z.cdn.turner.com 0 || ||Mar 12, 2017 05:42:04.267468318 MST 0x0000fc01 z.cdn.turner.com 0 || ||Mar 12, 2017 05:42:04.269226257 MST 0x0000fc01 z.cdn.turner.com 1 0.001757939| The following while pretty ugly will produce a table using the first time for a given ID |tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1|| | filtering on just the example transaction ID yields |$ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1) | grep -E "fc01|ID" ID TYPE Name Response-time - Query-time = Delta-time 0x0000fc01 28 z.cdn.turner.com: 05:42:04.269226257 - 05:41:59.259558974 = 5.00967 ||| Note that this will not display a query that never gets an answer. You can use gnuplot to plot them $ (tshark -r dns.pcapng -T fields -e frame.number -e frame.time_epoch -e frame.time -e dns.id -e dns.flags.response -e dns.qry.name -e dns.qry.type > /tmp/foo; (echo ID TYPE Name Response-time - Query-time = Delta-time; awk '($9 == 1) {print $8 " " $10 " " $11}' /tmp/foo | sort -u | while read id name type; do echo $id $type $name: $( grep $id.*0.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | head -1 > /tmp/foo1; grep $id.*1.*$name.*$type /tmp/foo | awk '{print $2 " " $3 " " $5 " " $6}' | tail -1 >> /tmp/foo1; cat /tmp/foo1 | tr "\n" " " | awk '{print $8 " - " $4 " = " $5-$1}'); done) | column -t; rm /tmp/foo; rm /tmp/foo1) > /tmp/foo3; gnuplot -p -e "set xdata time; set timefmt \"%H:%M:%S\"; set format x \"%H:%M:%S\"; set logscale y 10; plot \"/tmp/foo3\" using 6:8; pause 300"; rm /tmp/foo3 Note that the pause 300 will give you 5 minutes to resize the window and have it scale correctly. On 03/11/2017 05:00 AM, wireshark-users-request () wireshark org wrote:
------------------------------ Message: 2 Date: Fri, 10 Mar 2017 18:14:04 +0400 From: Abhik Sarkar <sarkar.abhik () gmail com> To: Community support list for Wireshark <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] How to draw DNS response time in I/O Graph Message-ID: <CA+i03uScZn1bMf9_EZMvAk+kDW627kyDtPf+_sUD7EQWyYcUcQ () mail gmail com> Content-Type: text/plain; charset="utf-8" Hi Doesn't this one help: https://ask.wireshark.org/questions/3678/dns-transaction-latency? Regards Abhik
-- Noah Davids =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Serendipity is a function of bandwidth If you are not the intended recipient of this E-mail it would be nice if you deleted it and notified me that you received it incorrectly. On the other hand, E-mail is an insecure mechanism; nothing in this E-mail can be considered confidential. Backup copies of this E-mail can be requested from the NSA by sending an E-mail to george.orwell () prisim oceania gov with the subject "Please recover E-mail" followed by the date, subject and original sender's E-mail address. $3.14 will be debited from one of your bank accounts for processing for each E-mail recovered.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Wireshark-users Digest, Vol 130, Issue 6 noah davids (Mar 12)