Tsharks advanced statistics March 2009
This months topic <ul><li>In this sixth episode, I will show you how you can use tshark to calculate statistics </li></ul>...
How to use (advanced) statistics <ul><li>Used with -z io,stat </li></ul><ul><li>Statistics calculated over ALL packets </l...
How to use COUNT() <ul><li>Can be used on ANY field </li></ul><ul><li>Counts the times the field occurs in each interval <...
How to use SUM() <ul><li>Can only be used on integer fields </li></ul><ul><li>Calculates the sum of the field value for ea...
How to use MIN(),MAX() and AVG() <ul><li>Can only be used on fields of type integer or relative time </li></ul><ul><li>Cal...
That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at:  http://www.wireshark.org/docs/man-pages/ ...
<ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational vi...
Upcoming SlideShare
Loading in …5
×

OSTU - Sake Blok on TShark Advanced Statistics

2,907 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,907
On SlideShare
0
From Embeds
0
Number of Embeds
702
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on TShark Advanced Statistics

  1. 1. Tsharks advanced statistics March 2009
  2. 2. This months topic <ul><li>In this sixth episode, I will show you how you can use tshark to calculate statistics </li></ul><ul><li>You will learn how to use: </li></ul><ul><ul><li>COUNT() </li></ul></ul><ul><ul><li>SUM() </li></ul></ul><ul><ul><li>MIN() </li></ul></ul><ul><ul><li>MAX() </li></ul></ul><ul><ul><li>AVG() </li></ul></ul>
  3. 3. How to use (advanced) statistics <ul><li>Used with -z io,stat </li></ul><ul><li>Statistics calculated over ALL packets </li></ul><ul><li>Use the form SUM(<field>)<filter> </li></ul><ul><li><field> MUST be present in <filter> </li></ul><ul><li>Multiple statistics possible at the same time </li></ul><ul><li>Fields that are present multiple times in one packet are calculated multiple times </li></ul>
  4. 4. How to use COUNT() <ul><li>Can be used on ANY field </li></ul><ul><li>Counts the times the field occurs in each interval </li></ul>$ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.src==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.src==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.dst==192.168.1.11&quot;, > &quot;COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.dst==192.168.1.11&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.src==192.168.1.11 Column #1: COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.src==192.168.1.11 Column #2: COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission&&ip.dst==192.168.1.11 Column #3: COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment&&ip.dst==192.168.1.11 | Column #0 | Column #1 | Column #2 | Column #3 Time | COUNT | COUNT | COUNT | COUNT 000.000-300.000 0 0 10 10 300.000-600.000 0 0 16 16 600.000-900.000 0 0 21 21 900.000-1200.000 0 0 8 8 1200.000-1500.000 0 0 13 13 =================================================================== $
  5. 5. How to use SUM() <ul><li>Can only be used on integer fields </li></ul><ul><li>Calculates the sum of the field value for each interval </li></ul>$ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;SUM(frame.len)frame.len&&tcp.port==110&quot;, > &quot;SUM(tcp.len)tcp.len&&tcp.port==110&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: SUM(frame.len)frame.len&&tcp.port==110 Column #1: SUM(tcp.len)tcp.len&&tcp.port==110 | Column #0 | Column #1 Time | SUM | SUM 000.000-300.000 112938 82140 300.000-600.000 93399 68025 600.000-900.000 108430 79420 900.000-1200.000 97153 72139 1200.000-1500.000 85371 62201 =================================================================== $
  6. 6. How to use MIN(),MAX() and AVG() <ul><li>Can only be used on fields of type integer or relative time </li></ul><ul><li>Calculates the minimum, maximum or average value of the field for each interval </li></ul>$ tshark -r sharkfest-2.cap -qz io,stat,300, > &quot;MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot;, > &quot;MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot;, > &quot;AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110&quot; =================================================================== IO Statistics Interval: 300.000 secs Column #0: MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 Column #1: MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 Column #2: AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt&&tcp.port==110 | Column #0 | Column #1 | Column #2 Time | MIN | MAX | AVG 000.000-300.000 0.000 2.981 0.027 300.000-600.000 0.000 0.430 0.013 600.000-900.000 0.000 0.630 0.016 900.000-1200.000 0.000 1.525 0.023 1200.000-1500.000 0.000 9.404 0.078 =================================================================== sablo@BLOK ~/lovemytool $
  7. 7. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at: http://www.wireshark.org/docs/man-pages/ </li></ul></ul><ul><li>Next months episode: &quot;scripting with tshark (1)&quot; </li></ul><ul><li>Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html </li></ul><ul><li>e-mail: [email_address] </li></ul>
  8. 8. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>

×