Different statistic results of tshark and wireshark for the same pcap file

whxru
1 ●1

I want to calculate the number and size of packets in the trace file, and I get the same number of packets in tshark and wireshark, but the bytes are not the same, in tshark it's:

    olsr                             frames:1171 bytes:142792
    data                             frames:571 bytes:73088
  icmp                               frames:196 bytes:18032

===================================================================

However in wireshark the bytes of olsr, data, icmp are respectively 67848 36544 7056.

The pcap file is here: https://www.dropbox.com/s/4tgkdy3w8mf...

Comments

I am on mobile and can't look at the pcap file at the moment.

What was the exact tshark command you used? Do the counts change if you include/exclude the 2-pass analysis option, -2? Which versions of Wireshark/tshark are you using? Please provide Wireshark Help -> About Wireshark information and tshark-v output if the versions are not the same.

cmaynard ( Nov 22 '19 )

I got same tshark results with or without "-2" option - version 3.1.1.

Chuckc ( Nov 22 '19 )

I think Wireshark and tshark are using different data:

proto_hier_stats.c  (Wireshark)
------------------
process_node(proto_node *ptree_node, GNode *parent_stat_node, ph_stats_t *ps)

    stats->num_bytes_total += finfo->length;


tap-protohierstat.c  (tshark)
-------------------
protohierstat_packet(void *prs, packet_info *pinfo, epan_dissect_t *edt, const void *dummy _U_)
<snip>
    rs->bytes += pinfo->fd->pkt_len;

Chuckc ( Nov 22 '19 )

add a comment

answered Nov 22 '19

Chuckc
3048 ●6 ●619 ●20

updated Nov 22 '19

Unfortunately it was not implemented the same way in both programs.
I see the same statistics as you in version 3.1.1 of tshark and wireshark.
Wireshark does not support -z io,phs on its command line so its numbers are from the GUI.

https://ask.wireshark.org/question/11...

https://www.wireshark.org/docs/man-pa...

-z io,phs[,filter]
Create Protocol Hierarchy Statistics listing both number of packets and bytes. If no filter is specified the statistics will be calculated for all packets. If a filter is specified statistics will only be calculated for those packets that match the filter.

https://www.wireshark.org/docs/man-pa...

Statistics:Protocol Hierarchy
Show the number of packets, and the number of bytes in those packets, for each protocol in the trace. It organizes the protocols in the same hierarchy in which they were found in the trace.<snip>

link

Comments

tshark -r ./t.pcap -z io,stat,0,,FRAMES,BYTES,"FRAMES()icmp","BYTES()icmp"

tshark is consistent no matter which path is used to gather the stats:

=======================================================================
| IO Statistics                                                       |
|                                                                     |
| Duration: 555.4 secs                                                |
| Interval: 555.4 secs                                                |
|                                                                     |
| Col 1: Frames and bytes                                             |
|     2: FRAMES                                                       |
|     3: BYTES                                                        |
|     4: FRAMES()icmp                                                 |
|     5: BYTES()icmp                                                  |
|---------------------------------------------------------------------|
|                |1                |2       |3       |4       |5      |
| Interval       | Frames |  Bytes | FRAMES |  BYTES | FRAMES | BYTES |
|---------------------------------------------------------------------|
|   0.0 <> 555.4 |   2523 | 243652 |   2523 | 243652 |    196 | 18032 |
=======================================================================

Chuckc ( Nov 22 '19 )

Thanks for your reply, but I've built the wireshark-3.1.1 on my Ubuntu OS and I found that the statistics are also not the same. Since during the experiment I fix the packet size of data, so the result from GUI is more reasonable to my analysis, however I need to handle a batch of pcap file in the code, so I cannot directly use the Wireshark GUI, is there any way I could get the same result with it by a programmable method?

whxru ( Nov 22 '19 )

Is it only olsr data you need for the files?

$ tshark -r ./t.pcap -qz io,stat,0,"SUM(olsr.packet_len)olsr.packet_len"

==============================================
| IO Statistics                              |
|                                            |
| Duration: 555.4 secs                       |
| Interval: 555.4 secs                       |
|                                            |
| Col 1: SUM(olsr.packet_len)olsr.packet_len |
|--------------------------------------------|
|                |1      |                   |
| Interval       |  SUM  |                   |
|------------------------|                   |
|   0.0 <> 555.4 | 67848 |                   |
==============================================

Chuckc ( Nov 22 '19 )

add a comment

Different statistic results of tshark and wireshark for the same pcap file

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Different statistic results of tshark and wireshark for the same pcap file savecancel

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Different statistic results of tshark and wireshark for the same pcap file