Welcome to this months training session from NetCC




               Sake Blok on…

          Tsharks -z statistics

    ...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
00100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100...
Upcoming SlideShare
Loading in...5
×

OSTU - Sake Blok on TShark Statistics

2,530

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,530
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on TShark Statistics

  1. 1. Welcome to this months training session from NetCC Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center www.netcc.nl
  2. 2. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 This months topic 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • In this sixth episode, I will show you how you can use tshark to display statistics • You will learn how to: – use the -z options – display a protocol hierarchy – display conversations – display io statistics 2 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  3. 3. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 How to use the -z options 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • The -z option can be used to show different types of statistics • Use filters to restrict statistics gathering (does not filter packets) • Use -q if you ONLY want the statistics • Most -z options can be used multiple times in one command 3 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  4. 4. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display a protocol hierarchy 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 $ tshark -r sharkfest-2.cap -q -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:4847 bytes:977566 eth frames:4847 bytes:977566 ip frames:4847 bytes:977566 tcp frames:4678 bytes:961004 smtp frames:1484 bytes:382011 imf frames:99 bytes:6831 pop frames:1281 bytes:448423 imf frames:104 bytes:124216 icmp frames:169 bytes:16562 =================================================================== $ 4 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  5. 5. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display conversations 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • Use -z conv,<type>,<filter> – type is eth,tr,fc,fddi,ip,ipx,tcp or udp – filter is used to restrict statistics $ tshark -r sharkfest-2.cap -q -z conv,ip,tcp.port==25 -z conv,ip,tcp.port==110 ================================================================================ IPv4 Conversations Filter:tcp.port==110 | <- || -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 194.134.35.141 <-> 192.168.1.11 385 27767 401 170073 786 197840 194.134.35.173 <-> 192.168.1.11 312 22421 326 139297 638 161718 194.134.35.133 <-> 192.168.1.11 279 19996 292 117737 571 137733 ================================================================================ ================================================================================ IPv4 Conversations Filter:tcp.port==25 | <- || -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 194.134.35.236 <-> 192.168.1.11 467 130230 555 48856 1022 179086 194.134.35.134 <-> 192.168.1.11 399 107720 466 41195 865 148915 194.134.35.235 <-> 192.168.1.11 376 100302 420 35410 796 135712 ================================================================================ $ 5 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  6. 6. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 display io statistics 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • Use -z io,stat,<int>,<filt>,<filt>,… – int is the interval in seconds – filt is used for statistics selection $ tshark -r sharkfest-2.cap -q -z io,stat,300,tcp.port==25,tcp.port==110,'not (tcp.port==25 or tcp.port==110)' =================================================================== IO Statistics Interval: 300.000 secs Column #0: tcp.port==25 Column #1: tcp.port==110 Column #2: not (tcp.port==25 or tcp.port==110) | Column #0 | Column #1 | Column #2 Time |frames| bytes |frames| bytes |frames| bytes 000.000-300.000 561 103365 461 112938 29 2842 300.000-600.000 538 98409 379 93399 40 3920 600.000-900.000 826 122845 433 108430 40 3920 900.000-1200.000 514 94946 375 97153 40 3920 1200.000-1500.000 244 44148 347 85371 20 1960 =================================================================== $ 6 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  7. 7. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 That's all folks! 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • More info: – see the manpages at: http:// www.wireshark.org/docs/man-pages/ • Next months episode: quot;advanced statistics with tsharkquot; • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html • e-mail: sake@euronet.nl 7 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)
  8. 8. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110 0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010 0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000 0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010 0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000 0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010 110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010 • LoveMyTool.com Community for Network Monitoring & Management Tools • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html 8 Sake Blok on… Tsharks -z statistics February 2009 Network Analysis Community Center (http://www.netcc.nl)

×