• Save
OSTU - Sake Blok on TShark Statistics
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OSTU - Sake Blok on TShark Statistics

on

  • 4,825 views

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who ...

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Statistics

Views

Total Views
4,825
Views on SlideShare
4,524
Embed Views
301

Actions

Likes
0
Downloads
0
Comments
0

9 Embeds 301

http://www.lovemytool.com 277
http://www.slideshare.net 14
https://twitter.com 3
http://web.archive.org 2
http://static.slideshare.net 1
http://www.spokenword.org 1
http://paper.li 1
https://si0.twimg.com 1
http://translate.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OSTU - Sake Blok on TShark Statistics Presentation Transcript

  • 1. Welcome to this months training session from NetCC Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center www.netcc.nl
  • 2. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 This months topic 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • In this sixth episode, I will show you how you can use tshark to display statistics • You will learn how to: – use the -z options – display a protocol hierarchy – display conversations – display io statistics 2 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 3. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 How to use the -z options 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • The -z option can be used to show different types of statistics • Use filters to restrict statistics gathering (does not filter packets) • Use -q if you ONLY want the statistics • Most -z options can be used multiple times in one command 3 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 4. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display a protocol hierarchy 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 $ tshark -r sharkfest-2.cap -q -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:4847 bytes:977566 eth frames:4847 bytes:977566 ip frames:4847 bytes:977566 tcp frames:4678 bytes:961004 smtp frames:1484 bytes:382011 imf frames:99 bytes:6831 pop frames:1281 bytes:448423 imf frames:104 bytes:124216 icmp frames:169 bytes:16562 =================================================================== $ 4 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 5. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display conversations 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • Use -z conv,<type>,<filter> – type is eth,tr,fc,fddi,ip,ipx,tcp or udp – filter is used to restrict statistics $ tshark -r sharkfest-2.cap -q -z conv,ip,tcp.port==25 -z conv,ip,tcp.port==110 ================================================================================ IPv4 Conversations Filter:tcp.port==110 | <- || -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 194.134.35.141 <-> 192.168.1.11 385 27767 401 170073 786 197840 194.134.35.173 <-> 192.168.1.11 312 22421 326 139297 638 161718 194.134.35.133 <-> 192.168.1.11 279 19996 292 117737 571 137733 ================================================================================ ================================================================================ IPv4 Conversations Filter:tcp.port==25 | <- || -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 194.134.35.236 <-> 192.168.1.11 467 130230 555 48856 1022 179086 194.134.35.134 <-> 192.168.1.11 399 107720 466 41195 865 148915 194.134.35.235 <-> 192.168.1.11 376 100302 420 35410 796 135712 ================================================================================ $ 5 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 6. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display io statistics 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • Use -z io,stat,<int>,<filt>,<filt>,… – int is the interval in seconds – filt is used for statistics selection $ tshark -r sharkfest-2.cap -q -z io,stat,300,tcp.port==25,tcp.port==110,'not (tcp.port==25 or tcp.port==110)' =================================================================== IO Statistics Interval: 300.000 secs Column #0: tcp.port==25 Column #1: tcp.port==110 Column #2: not (tcp.port==25 or tcp.port==110) | Column #0 | Column #1 | Column #2 Time |frames| bytes |frames| bytes |frames| bytes 000.000-300.000 561 103365 461 112938 29 2842 300.000-600.000 538 98409 379 93399 40 3920 600.000-900.000 826 122845 433 108430 40 3920 900.000-1200.000 514 94946 375 97153 40 3920 1200.000-1500.000 244 44148 347 85371 20 1960 =================================================================== $ 6 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 7. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 That's all folks! 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • More info: – see the manpages at: http:// www.wireshark.org/docs/man-pages/ • Next months episode: quot;advanced statistics with tsharkquot; • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html • e-mail: sake@euronet.nl 7 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  • 8. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • LoveMyTool.com Community for Network Monitoring & Management Tools • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html 8 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)