Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

1. Welcome to this months training session from NetCC
Sake Blok on…
Tsharks -z statistics
February 2009
Network Analysis Community Center
www.netcc.nl

2. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
This months topic
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• In this sixth episode, I will show
you how you can use tshark to
display statistics
• You will learn how to:
– use the -z options
– display a protocol hierarchy
– display conversations
– display io statistics
2
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

3. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
How to use the -z options
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• The -z option can be used to show
different types of statistics
• Use filters to restrict statistics
gathering (does not filter packets)
• Use -q if you ONLY want the
statistics
• Most -z options can be used multiple
times in one command
3
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

4. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
display a protocol hierarchy
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
$ tshark -r sharkfest-2.cap -q -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:4847 bytes:977566
eth frames:4847 bytes:977566
ip frames:4847 bytes:977566
tcp frames:4678 bytes:961004
smtp frames:1484 bytes:382011
imf frames:99 bytes:6831
pop frames:1281 bytes:448423
imf frames:104 bytes:124216
icmp frames:169 bytes:16562
===================================================================
$
4
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

5. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
display conversations
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• Use -z conv,<type>,<filter>
– type is eth,tr,fc,fddi,ip,ipx,tcp or
udp
– filter is used to restrict statistics
$ tshark -r sharkfest-2.cap -q -z conv,ip,tcp.port==25 -z conv,ip,tcp.port==110
================================================================================
IPv4 Conversations
Filter:tcp.port==110
| <- || -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
194.134.35.141 <-> 192.168.1.11 385 27767 401 170073 786 197840
194.134.35.173 <-> 192.168.1.11 312 22421 326 139297 638 161718
194.134.35.133 <-> 192.168.1.11 279 19996 292 117737 571 137733
================================================================================
================================================================================
IPv4 Conversations
Filter:tcp.port==25
| <- || -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
194.134.35.236 <-> 192.168.1.11 467 130230 555 48856 1022 179086
194.134.35.134 <-> 192.168.1.11 399 107720 466 41195 865 148915
194.134.35.235 <-> 192.168.1.11 376 100302 420 35410 796 135712
================================================================================
$
5
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

6. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
display io statistics
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• Use -z io,stat,<int>,<filt>,<filt>,…
– int is the interval in seconds
– filt is used for statistics selection
$ tshark -r sharkfest-2.cap -q -z io,stat,300,tcp.port==25,tcp.port==110,'not
(tcp.port==25 or tcp.port==110)'
===================================================================
IO Statistics
Interval: 300.000 secs
Column #0: tcp.port==25
Column #1: tcp.port==110
Column #2: not (tcp.port==25 or tcp.port==110)
| Column #0 | Column #1 | Column #2
Time |frames| bytes |frames| bytes |frames| bytes
000.000-300.000 561 103365 461 112938 29 2842
300.000-600.000 538 98409 379 93399 40 3920
600.000-900.000 826 122845 433 108430 40 3920
900.000-1200.000 514 94946 375 97153 40 3920
1200.000-1500.000 244 44148 347 85371 20 1960
===================================================================
$
6
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

7. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
That's all folks!
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• More info:
– see the manpages at: http://
www.wireshark.org/docs/man-pages/
• Next months episode:
quot;advanced statistics with tsharkquot;
• Previous episodes can be found at:
http://www.lovemytool.com/blog/sake_blok.html
• e-mail: sake@euronet.nl
7
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)

8. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• LoveMyTool.com
Community for Network Monitoring &
Management Tools
• For additional educational videos on
Open Source Network Tools, please
visit:
http://www.lovemytool.com/blog/ostu.html
8
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)