I don't understand the output I get when I try to sum tcp.time_delta in a trace
C:\Temp>tshark -r P-Inside-sliced.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta ============================================ | IO Statistics | | | | Duration: 18.2 secs | | Interval: 18.2 secs | | | | Col 1: SUM(tcp.time_delta)tcp.time_delta | |------------------------------------------| | |1 | | | Interval | SUM | | |---------------------------| | | 0.0 <> 18.2 | 106.856631 | | ============================================ C:\Temp>
The believe that the Total Time encompassed in this trace is 18.2s ... but then, how can the Sum of tcp.time_delta be ~106s?
And further, if I sum tcp_time.delta in the other direction (notice the change from tcp.dstport to tcp.srcport) ... I would have predicted that the SUM would be some other number ... not ~106s again
C:\Temp>tshark -r P-Inside-sliced.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.srcport==443 -qz io,stat,0,SUM(tcp.time_delta)tcp.time_delta ============================================ | IO Statistics | | | | Duration: 18.2 secs | | Interval: 18.2 secs | | | | Col 1: SUM(tcp.time_delta)tcp.time_delta | |------------------------------------------| | |1 | | | Interval | SUM | | |---------------------------| | | 0.0 <> 18.2 | 106.856631 | | ============================================ C:\Temp>
See http://www.skendric.com/ask_wireshark for the pcaps
BTW: I have taken two pcaps, one from just inside a particular network device, the other from just outside same device, and I'm trying to use this technique to measure the device's impact on performance
--sk
