OSTU - Sake Blok on TShark Advanced Statistics

  • 2,432 views
Uploaded on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who …

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,432
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Tsharks advanced statistics March 2009
  • 2. This months topic
    • In this sixth episode, I will show you how you can use tshark to calculate statistics
    • You will learn how to use:
      • COUNT()
      • SUM()
      • MIN()
      • MAX()
      • AVG()
  • 3. How to use (advanced) statistics
    • Used with -z io,stat
    • Statistics calculated over ALL packets
    • Use the form SUM(<field>)<filter>
    • <field> MUST be present in <filter>
    • Multiple statistics possible at the same time
    • Fields that are present multiple times in one packet are calculated multiple times
  • 4. How to use COUNT()
    • Can be used on ANY field
    • Counts the times the field occurs in each interval
    $ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.src==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.src==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.dst==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.dst==192.168.1.11&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.src==192.168.1.11 Column #1: COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.src==192.168.1.11 Column #2: COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.dst==192.168.1.11 Column #3: COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.dst==192.168.1.11 | Column #0 | Column #1 | Column #2 | Column #3 Time | COUNT | COUNT | COUNT | COUNT 000.000-300.000 0 0 10 10 300.000-600.000 0 0 16 16 600.000-900.000 0 0 21 21 900.000-1200.000 0 0 8 8 1200.000-1500.000 0 0 13 13 =================================================================== $
  • 5. How to use SUM()
    • Can only be used on integer fields
    • Calculates the sum of the field value for each interval
    $ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;SUM(frame.len)frame.len&&tcp.port==110&quot;, > &quot;SUM(tcp.len)tcp.len&&tcp.port==110&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: SUM(frame.len)frame.len&&tcp.port==110 Column #1: SUM(tcp.len)tcp.len&&tcp.port==110 | Column #0 | Column #1 Time | SUM | SUM 000.000-300.000 112938 82140 300.000-600.000 93399 68025 600.000-900.000 108430 79420 900.000-1200.000 97153 72139 1200.000-1500.000 85371 62201 =================================================================== $
  • 6. How to use MIN(),MAX() and AVG()
    • Can only be used on fields of type integer or relative time
    • Calculates the minimum, maximum or average value of the field for each interval
    $ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot;, > &quot;MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot;, > &quot;AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 Column #1: MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 Column #2: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 | Column #0 | Column #1 | Column #2 Time | MIN | MAX | AVG 000.000-300.000 0.000 2.981 0.027 300.000-600.000 0.000 0.430 0.013 600.000-900.000 0.000 0.630 0.016 900.000-1200.000 0.000 1.525 0.023 1200.000-1500.000 0.000 9.404 0.078 =================================================================== sablo@BLOK ~/lovemytool $
  • 7. That's all folks!
    • More info:
      • see the manpages at: http://www.wireshark.org/docs/man-pages/
    • Next months episode: &quot;scripting with tshark (1)&quot;
    • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html
    • e-mail: [email_address]
  • 8.
    • LoveMyTool.com Community for Network Monitoring & Management Tools
    • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html