Wireshark-users: [Wireshark-users] tshark protocol hierarchy statistics frames count
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Florent Deybach <fdeybach@xxxxxxxxxxxxxx>
Date: Wed, 20 May 2009 13:55:57 +0200
Hello everybody,

I am using tshark to get the protocol hierarchy on several PCAP files
with the following command:

For example:

#tshark.exe -qz io,phs -r file-00018.cap

The output is:

=============================================
Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:26721 bytes:21836862
  eth                                    frames:26721 bytes:21836862
    ip                                   frames:26721 bytes:21836862
      tcp                                frames:25921 bytes:21675514
        http                             frames:11289 bytes:13681015
          short                          frames:11261 bytes:13679287
        data                             frames:765 bytes:232183
        ssl                              frames:5330 bytes:5761777
          short                          frames:4713 bytes:4972534
          unreassembled                  frames:597 bytes:787991
        short                            frames:1479 bytes:1337465
        tpkt                             frames:182 bytes:39858
        nbss                             frames:178 bytes:163832
          short                          frames:75 bytes:31104
          data                           frames:2 bytes:1510
        dns                              frames:32 bytes:12805
          short                          frames:32 bytes:12805
        smtp                             frames:59 bytes:27203
        rmi                              frames:14 bytes:5110
        unreassembled                    frames:24 bytes:4000
          dns                            frames:1 bytes:1423
            short                        frames:1 bytes:1423
        ssh                              frames:1 bytes:75
          short                          frames:1 bytes:75
        gtp                              frames:1 bytes:206
        ldap                             frames:5 bytes:3204
          short                          frames:4 bytes:3136
      udp                                frames:774 bytes:159268
        dns                              frames:711 bytes:145595
          short                          frames:687 bytes:144149
        kerberos                         frames:14 bytes:7435
          short                          frames:14 bytes:7435
        ntp                              frames:17 bytes:1530
          short                          frames:17 bytes:1530
        bootp                            frames:3 bytes:1026
          short                          frames:3 bytes:1026
        data                             frames:8 bytes:480
        nbns                             frames:9 bytes:1361
          short                          frames:8 bytes:1263
        snmp                             frames:8 bytes:974
          short                          frames:6 bytes:732
        cldap                            frames:1 bytes:237
          short                          frames:1 bytes:237
        malformed                        frames:1 bytes:60
        nbdgm                            frames:2 bytes:570
          short                          frames:2 bytes:570
      icmp                               frames:25 bytes:1926
        short                            frames:16 bytes:1256
      esp                                frames:1 bytes:154
============================================


As you can see, I captured the frames with tcpdump limiting the
captured frame size to 68 bytes so there are several frames that are
truncated.
That is why you can see under almost each protocol a "short" line.

The problem is that tshark seems to "forget" (or cannot classify)
several frames in the TCP frame count. But only in the TCP frames, not
UDPs.

When you take the total of TCP frames: "frames:25921", the sum of each
protocol in the TCP column immediately "under" the TCP column (without
"short") is only 19359

http                  frames:11289 bytes:13681015
data                 frames:765bytes:232183
ssl                   frames:5330bytes:5761777
short                frames:1479bytes:1337465
tpkt                  frames:182 bytes:39858
nbss                frames:178 bytes:163832
dns                  frames:32 bytes:12805
smtp                frames:59 bytes:27203
rmi                   frames:14 bytes:5110
unreassembled	frames:24 bytes:4000
ssh	                frames:1 bytes:75
gtp	                frames:1 bytes:206
ldap	                frames:5 bytes:3204

So there are 25921 - 19359 = 6562 missing frames.

I have the same behavior with 20 other files containing each 2.000.000
frames, there are 500.000 TCP frames that are not counted on
average....

Do you see where the problem is? (I hope I made myself clear ;))

Thanks!

Florent