Wireshark · Ethereal-users: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting info?

[spamcontrol2@xxxxxxxxx]

Guy,

You're absolutely right, my mistake - I WAS referring to the "Packet List" pane,
not the decode pane.  Not sure why I said "decode" pane, I never refer to it in
this way - sorry about the confusion.

In fact, there were two main ideas behind my request - 1) I often need a way to
spot "interesting events" or quickly reference response times as I scan through
a trace, and 2) I wanted a way to export this information, in its entirety, to a
file that I could easily manipulate (with Excel or other programs we've written)

Ronnie's answered the majority of these with his responses.  Unfortunately I
haven't had much time to spend looking at this yet, but it sounds like the
tethereal packet decode would solve my export fields to file problem (originally
I had envisioned building the columns in the summary/packet list pane and saving
the contents as text, but this is a much cleaner way (and shows that I need to
spend more time with tethereal)).  I'm also assuming that I can also include
fields like NT Transact(2) Function #s, etc, which is very important if I'm
trying to do some statistics based on command/subcommands

Also, the field filtering suggestions (smb.time>t) and color marking suggestions
will be VERY handy.

I still would like to be able to place the response time fields within the
summary/packet list for quicker reference as I scan a trace (it will slow me
down otherwise, and I'm usually not looking for a particular response time). 
There's no way to do this using the Preferences->Columns dialog?

And, from what I can tell there's no easy way to measure response-to-call times
(what I've been calling "client idle times", though I know that's a bit
misleading), at least with NFS/RPC and CIFS, correct?

And to Ronnie's plea:  I make take you up on that.  I've been thinking for a
while about getting a bit more involved with Ethereal, perhaps this is a good
place to get started (and force myself to spend more time with the product).  I
know I haven't been able to find a good resource for how-to, tips & tricks info
other than these mailing lists, so it would be nice if there was some additional
documentation, other than the man pages, along these lines.  I know they'd stop
a lot of my silly questions =)

Ian
> 
> ----- Original Message -----
> From: "Guy Harris"
> Sent: Saturday, January 11, 2003 1:36 PM
> Subject: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting info?
> 
> 
> > On Sat, Jan 11, 2003 at 11:35:23AM +1100, Ronnie Sahlberg wrote:
> > > > ----- Original Message -----
> > > > From: "Ian Schorr"
> > > > Sent: Saturday, January 11, 2003 7:35 AM
> > > > Subject: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting
> info?
> > >
> > > > As long as we're talking about new features =)
> > > >
> > > > How about reporting of Application Response Time within the decode
> pane?
> > > >   (ART as in end-of-call to beginning-of-response delta times, not
> > > > call-to-next-UDP-segment-from-server or call-to-TCP-ACK as Sniffer
> > > > calculates it =)
> > > >
> > > > Graphs would be nice, but ideally I'd like to be able to add a column
> to
> > > > the decode pane that displays ART calculations.  Better yet, columns
> for
> > > > call-to-response, end-of-response to beginning-of-next-call, number of
> > > > calls outstanding (unanswered by the server), etc.  VERY useful
> > > > statistics when trying to troubleshoot any kind of performance issue.
> > > >
> > > > Is this possible now, and I just don't realize it?
> > > >
> 
> If you refer to getting these ART values up on the list of packets, no
> currently that can not be done in ethereal.
> It would however not be very difficult to port the -z proto,colinfo...
> from tethereal to ethereal
> but it requires a GUI to manage it and noone has done it yet.
> 
> But, you can get almost that already in ethereal usding display filters:
> 
> For example:
> Create one display filter "smb.time>0.020" that has the background mapped as
> Yellow.
> and one other displayfilter "smb.time>0.050" that colors the background Red.
> 
> This would then make the entire line for packets where SMB took more than
> 20ms and 50ms repsectively either Yellow or Red.
> 
> 
> Then it would be just a matter of really fast scrolling the packet list pane
> and see if anything Yellow or Red pops by.
> 
> Color filters can be found at "Menu:Display/ColorizeDisplay"
> See user documentation on color filters.
> 
> 
> 
> Using tethereal you can script something similarly useful as
> ...
> NUM_LONG=`tethereal -r $CAPFILE -R "smb.time>0.020" | wc -l`
> echo "Number of SMB's that took more than 20ms to service: $NUM_LONG"
> NUM_VERY_LONG=`tethereal -r $CAPFILE -R "smb.time>0.050" | wc -l`
> echo "Number of SMB's that took more than 20ms to service: $NUM_VERY_LONG"
> ...
> This is just an example.   However, looking at SMB service times you might
> really want to make the -R filter above a bit more intelligent and filter
> out any Transaction2/Notify SMBs since it is sometimes normal
> for them to take a very long/infinite time to service.
> 
> 
> 
> 
> hope this helps answering your question.
> 
> best regards
> ronnie sahlberg
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users