Ask Your Question
0

Different statistic results of tshark and wireshark for the same pcap file

asked 2019-11-22 04:03:00 +0000

whxru gravatar image

I want to calculate the number and size of packets in the trace file, and I get the same number of packets in tshark and wireshark, but the bytes are not the same, in tshark it's:

    olsr                             frames:1171 bytes:142792
    data                             frames:571 bytes:73088
  icmp                               frames:196 bytes:18032

===================================================================

However in wireshark the bytes of olsr, data, icmp are respectively 67848 36544 7056.

The pcap file is here: https://www.dropbox.com/s/4tgkdy3w8mf...

edit retag flag offensive close merge delete

Comments

I am on mobile and can't look at the pcap file at the moment.

What was the exact tshark command you used? Do the counts change if you include/exclude the 2-pass analysis option, -2? Which versions of Wireshark/tshark are you using? Please provide Wireshark Help -> About Wireshark information and tshark-v output if the versions are not the same.

cmaynard gravatar imagecmaynard ( 2019-11-22 13:36:09 +0000 )edit

I got same tshark results with or without "-2" option - version 3.1.1.

Chuckc gravatar imageChuckc ( 2019-11-22 14:30:32 +0000 )edit

I think Wireshark and tshark are using different data:

proto_hier_stats.c  (Wireshark)
------------------
process_node(proto_node *ptree_node, GNode *parent_stat_node, ph_stats_t *ps)

    stats->num_bytes_total += finfo->length;


tap-protohierstat.c  (tshark)
-------------------
protohierstat_packet(void *prs, packet_info *pinfo, epan_dissect_t *edt, const void *dummy _U_)
<snip>
    rs->bytes += pinfo->fd->pkt_len;

Chuckc gravatar imageChuckc ( 2019-11-22 14:59:09 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-22 05:17:46 +0000

Chuckc gravatar image

updated 2019-11-22 05:19:27 +0000

Unfortunately it was not implemented the same way in both programs.
I see the same statistics as you in version 3.1.1 of tshark and wireshark.
Wireshark does not support -z io,phs on its command line so its numbers are from the GUI.

https://ask.wireshark.org/question/11...

https://www.wireshark.org/docs/man-pa...

-z io,phs[,filter]
Create Protocol Hierarchy Statistics listing both number of packets and bytes. If no filter is specified the statistics will be calculated for all packets. If a filter is specified statistics will only be calculated for those packets that match the filter.

https://www.wireshark.org/docs/man-pa...

Statistics:Protocol Hierarchy
Show the number of packets, and the number of bytes in those packets, for each protocol in the trace. It organizes the protocols in the same hierarchy in which they were found in the trace.<snip>
edit flag offensive delete link more

Comments

tshark -r ./t.pcap -z io,stat,0,,FRAMES,BYTES,"FRAMES()icmp","BYTES()icmp"


tshark is consistent no matter which path is used to gather the stats:

=======================================================================
| IO Statistics                                                       |
|                                                                     |
| Duration: 555.4 secs                                                |
| Interval: 555.4 secs                                                |
|                                                                     |
| Col 1: Frames and bytes                                             |
|     2: FRAMES                                                       |
|     3: BYTES                                                        |
|     4: FRAMES()icmp                                                 |
|     5: BYTES()icmp                                                  |
|---------------------------------------------------------------------|
|                |1                |2       |3       |4       |5      |
| Interval       | Frames |  Bytes | FRAMES |  BYTES | FRAMES | BYTES |
|---------------------------------------------------------------------|
|   0.0 <> 555.4 |   2523 | 243652 |   2523 | 243652 |    196 | 18032 |
=======================================================================
Chuckc gravatar imageChuckc ( 2019-11-22 05:29:29 +0000 )edit

Thanks for your reply, but I've built the wireshark-3.1.1 on my Ubuntu OS and I found that the statistics are also not the same. Since during the experiment I fix the packet size of data, so the result from GUI is more reasonable to my analysis, however I need to handle a batch of pcap file in the code, so I cannot directly use the Wireshark GUI, is there any way I could get the same result with it by a programmable method?

whxru gravatar imagewhxru ( 2019-11-22 08:08:33 +0000 )edit

Is it only olsr data you need for the files?

$ tshark -r ./t.pcap -qz io,stat,0,"SUM(olsr.packet_len)olsr.packet_len"

==============================================
| IO Statistics                              |
|                                            |
| Duration: 555.4 secs                       |
| Interval: 555.4 secs                       |
|                                            |
| Col 1: SUM(olsr.packet_len)olsr.packet_len |
|--------------------------------------------|
|                |1      |                   |
| Interval       |  SUM  |                   |
|------------------------|                   |
|   0.0 <> 555.4 | 67848 |                   |
==============================================

Chuckc gravatar imageChuckc ( 2019-11-22 15:16:04 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-22 04:03:00 +0000

Seen: 505 times

Last updated: Nov 22 '19