Ask Your Question
0

stumbling over the use of io,stat,0,SUM

asked 2020-02-15 13:11:34 +0000

Stuart Kendrick gravatar image

I don't understand the output I get when I try to sum tcp.time_delta in a trace

    C:\Temp>tshark -r P-Inside-sliced.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta

============================================
| IO Statistics                            |
|                                          |
| Duration: 18.2 secs                      |
| Interval: 18.2 secs                      |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|              |1           |              |
| Interval     |     SUM    |              |
|---------------------------|              |
|  0.0 <> 18.2 | 106.856631 |              |
============================================

C:\Temp>

The believe that the Total Time encompassed in this trace is 18.2s ... but then, how can the Sum of tcp.time_delta be ~106s?

And further, if I sum tcp_time.delta in the other direction (notice the change from tcp.dstport to tcp.srcport) ... I would have predicted that the SUM would be some other number ... not ~106s again

    C:\Temp>tshark -r P-Inside-sliced.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.srcport==443 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta

============================================
| IO Statistics                            |
|                                          |
| Duration: 18.2 secs                      |
| Interval: 18.2 secs                      |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|              |1           |              |
| Interval     |     SUM    |              |
|---------------------------|              |
|  0.0 <> 18.2 | 106.856631 |              |
============================================

C:\Temp>

See http://www.skendric.com/ask_wireshark for the pcaps

BTW: I have taken two pcaps, one from just inside a particular network device, the other from just outside same device, and I'm trying to use this technique to measure the device's impact on performance

--sk

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-02-16 04:54:38 +0000

Chuckc gravatar image
tcp.time_delta  Time since previous frame in this TCP stream


If the capture has more than one stream in parallel then the sum can be larger than the elapsed time.
Changing the filter on the sum will sum data for a single stream.

-qz io,stat,0,SUM(tcp.time_delta)tcp.stream==0
edit flag offensive delete link more

Comments

Ahh, got it -- thank you

Stuart Kendrick gravatar imageStuart Kendrick ( 2020-02-16 11:38:56 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-15 13:11:34 +0000

Seen: 233 times

Last updated: Feb 16 '20