Different statistic results of tshark and wireshark for the same pcap file

asked 2019-11-22 04:03:00 +0000

whxru
1 ●1

I want to calculate the number and size of packets in the trace file, and I get the same number of packets in tshark and wireshark, but the bytes are not the same, in tshark it's:

    olsr                             frames:1171 bytes:142792
    data                             frames:571 bytes:73088
  icmp                               frames:196 bytes:18032

===================================================================

However in wireshark the bytes of olsr, data, icmp are respectively 67848 36544 7056.

The pcap file is here: https://www.dropbox.com/s/4tgkdy3w8mf...

edit retag flag offensive close merge delete

Comments

I am on mobile and can't look at the pcap file at the moment.

What was the exact tshark command you used? Do the counts change if you include/exclude the 2-pass analysis option, -2? Which versions of Wireshark/tshark are you using? Please provide Wireshark Help -> About Wireshark information and tshark-v output if the versions are not the same.

cmaynard ( 2019-11-22 13:36:09 +0000 )edit

I got same tshark results with or without "-2" option - version 3.1.1.

Chuckc ( 2019-11-22 14:30:32 +0000 )edit

I think Wireshark and tshark are using different data:

proto_hier_stats.c  (Wireshark)
------------------
process_node(proto_node *ptree_node, GNode *parent_stat_node, ph_stats_t *ps)

    stats->num_bytes_total += finfo->length;


tap-protohierstat.c  (tshark)
-------------------
protohierstat_packet(void *prs, packet_info *pinfo, epan_dissect_t *edt, const void *dummy _U_)
<snip>
    rs->bytes += pinfo->fd->pkt_len;

Chuckc ( 2019-11-22 14:59:09 +0000 )edit

add a comment

answered 2019-11-22 05:17:46 +0000

Chuckc
3063 ●6 ●621 ●20

updated 2019-11-22 05:19:27 +0000

Unfortunately it was not implemented the same way in both programs.
I see the same statistics as you in version 3.1.1 of tshark and wireshark.
Wireshark does not support -z io,phs on its command line so its numbers are from the GUI.

https://ask.wireshark.org/question/11...

https://www.wireshark.org/docs/man-pa...

-z io,phs[,filter]
Create Protocol Hierarchy Statistics listing both number of packets and bytes. If no filter is specified the statistics will be calculated for all packets. If a filter is specified statistics will only be calculated for those packets that match the filter.

https://www.wireshark.org/docs/man-pa...

Statistics:Protocol Hierarchy
Show the number of packets, and the number of bytes in those packets, for each protocol in the trace. It organizes the protocols in the same hierarchy in which they were found in the trace.<snip>

edit flag offensive delete link

Comments

tshark -r ./t.pcap -z io,stat,0,,FRAMES,BYTES,"FRAMES()icmp","BYTES()icmp"

tshark is consistent no matter which path is used to gather the stats:

=======================================================================
| IO Statistics                                                       |
|                                                                     |
| Duration: 555.4 secs                                                |
| Interval: 555.4 secs                                                |
|                                                                     |
| Col 1: Frames and bytes                                             |
|     2: FRAMES                                                       |
|     3: BYTES                                                        |
|     4: FRAMES()icmp                                                 |
|     5: BYTES()icmp                                                  |
|---------------------------------------------------------------------|
|                |1                |2       |3       |4       |5      |
| Interval       | Frames |  Bytes | FRAMES |  BYTES | FRAMES | BYTES |
|---------------------------------------------------------------------|
|   0.0 <> 555.4 |   2523 | 243652 |   2523 | 243652 |    196 | 18032 |
=======================================================================

Chuckc ( 2019-11-22 05:29:29 +0000 )edit

Thanks for your reply, but I've built the wireshark-3.1.1 on my Ubuntu OS and I found that the statistics are also not the same. Since during the experiment I fix the packet size of data, so the result from GUI is more reasonable to my analysis, however I need to handle a batch of pcap file in the code, so I cannot directly use the Wireshark GUI, is there any way I could get the same result with it by a programmable method?

whxru ( 2019-11-22 08:08:33 +0000 )edit

Is it only olsr data you need for the files?

$ tshark -r ./t.pcap -qz io,stat,0,"SUM(olsr.packet_len)olsr.packet_len"

==============================================
| IO Statistics                              |
|                                            |
| Duration: 555.4 secs                       |
| Interval: 555.4 secs                       |
|                                            |
| Col 1: SUM(olsr.packet_len)olsr.packet_len |
|--------------------------------------------|
|                |1      |                   |
| Interval       |  SUM  |                   |
|------------------------|                   |
|   0.0 <> 555.4 | 67848 |                   |
==============================================

Chuckc ( 2019-11-22 15:16:04 +0000 )edit

add a comment

Different statistic results of tshark and wireshark for the same pcap file

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Different statistic results of tshark and wireshark for the same pcap file edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Different statistic results of tshark and wireshark for the same pcap file