Ask Your Question
0

stumbling over use of io,stat,0,SUM...

asked 2020-01-07 19:10:30 +0000

Stuart Kendrick gravatar image

updated 2020-01-07 22:38:14 +0000

grahamb gravatar image

I would like to use tshark to SUM tcp.delta_time in a pcap. But clearly I'm fumbling something. Pointers?

tshark 2.6.10

guru> tshark -r sample.pcapng –Y tcp.dstport==443 -o tcp.calculate_timestamps:TRUE -z io,stat,0,"SUM(tcp.time_delta)tcp.time_delta"
guru> tshark: "" was unexpected in this context

Seems to me that the use of "" is required in this context ... what is this error telling me?

tshark 3.20.0

C:\Temp>tshark -r sample.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z io,stat,0."SUM(tcp.time_delta)tcp.time_delta"

tshark: invalid "-z io,stat,<interval>[,<filter>][,<filter>]..." argument

C:\Temp>

Seems like tshark is interpreting this line as belonging to the standard class of '-z io,stat' lines ... whereas I would prefer that it interpret my options as belonging to the "COUNT|SUM|MIN|MAX|AVG|LOAD" approach (https://www.wireshark.org/docs/man-pa...) ... but again, i don't see why tshark is interpreting my options this way

Googling, I can find syntax which looks similar to me https://seclists.org/wireshark/2011/N... https://www.wireshark.org/lists/wires...

But apparently, I'm not copying as accurately as I would like from these past posts.

Suggestions?

--sk

Stuart Kendrick

edit retag flag offensive close merge delete

Comments

Output of tshark -v or confirm this is on Windows. (C:\Temp> in question)
Oops - missed the examples were from Windows and some other OS.

Chuckc gravatar imageChuckc ( 2020-01-07 19:46:20 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2020-01-07 19:52:54 +0000

Chuckc gravatar image

Windows syntax:

C:\>tshark -r .\smtp.pcap -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z io,stat,0,SUM(tcp.time_delta)tcp.time_delta

============================================
| IO Statistics                            |
|                                          |
| Duration: 9.198 secs                     |
| Interval: 9.198 secs                     |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 9.198 | 7.577713 |              |
============================================

Linux:

root@kali:~# tshark -r ./nfl_short.pcapng  -Y tcp.dstport==443 -o tcp.calculate_timestamps:TRUE -z io,stat,0,SUM\(tcp.time_delta\)tcp.time_delta
Running as user "root" and group "root". This could be dangerous.

============================================
| IO Statistics                            |
|                                          |
| Duration: 3.144 secs                     |
| Interval: 3.144 secs                     |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 3.144 | 3.168073 |              |
============================================
root@kali:~#
edit flag offensive delete link more

Comments

Instead of escaping "troublesome" characters in the command line you can also quote them, e.g.

tshark -r ./nfl_short.pcapng  -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z "io,stat,0,SUM(tcp.time_delta)tcp.time_delta"

Might be more helpful to show the parameters in the same order so that folks don't think it's significant for the OS.

grahamb gravatar imagegrahamb ( 2020-01-07 22:41:28 +0000 )edit

I happen to be a big fan of the "\" backslash. Especially when trying to remember if it takes 3, 4 or 5 to escape a regular expression in sed or grep. :-)

The issue in the original question was typos:
- there are extra characters between sample.pcapng and the -Y (copy/paste to vi to see these)
- 0."SUM vs 0,"Sum in the second

Chuckc gravatar imageChuckc ( 2020-01-08 13:43:10 +0000 )edit

I guess the other thing with escapes is that they tend to be OS\shell specific, whereas quotes don't, although what needs to be quoted is another big ball of hair.

grahamb gravatar imagegrahamb ( 2020-01-08 13:50:49 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-07 19:10:30 +0000

Seen: 357 times

Last updated: Jan 07 '20

Related questions

Tshark conversation view output modification

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Statistics / Conversations / Name Resolution

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

How do Wireshark resolve addresses

can I install only tshark?

Merge multiple statistic files