Wireshark-users: Re: [Wireshark-users] tshark protocol hierarchy statistics frames count
From: j.snelders@xxxxxxxxxx
Date: Wed, 20 May 2009 16:51:13 +0200
Hi Florent, I think the answer is in the User's Guide: http://www.wireshark.org/docs/wsug_html_chunked/ChStatHierarchy.html Note! Packets will usually contain multiple protocols, so more than one protocol will be counted for each packet. Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together much more than 100%). Note! Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less. This may be caused by TCP protocol overhead, e.g. TCP ACK packets won't be counted as packets of the higher layer). Note! A single packet can contain the same protocol more than once. In this case, the protocol is counted more than once. For example: in some tunneling configurations the IP layer can appear twice. Regards Joan On Wed, 20 May 2009 13:55:57 +0200 Florent Deybach wrote: >Hello everybody, > >I am using tshark to get the protocol hierarchy on several PCAP files >with the following command: > >For example: > >#tshark.exe -qz io,phs -r file-00018.cap > >The output is: > >============================================= >Protocol Hierarchy Statistics >Filter: frame > >frame frames:26721 bytes:21836862 > eth frames:26721 bytes:21836862 > ip frames:26721 bytes:21836862 > tcp frames:25921 bytes:21675514 > http frames:11289 bytes:13681015 > short frames:11261 bytes:13679287 > data frames:765 bytes:232183 > ssl frames:5330 bytes:5761777 > short frames:4713 bytes:4972534 > unreassembled frames:597 bytes:787991 > short frames:1479 bytes:1337465 > tpkt frames:182 bytes:39858 > nbss frames:178 bytes:163832 > short frames:75 bytes:31104 > data frames:2 bytes:1510 > dns frames:32 bytes:12805 > short frames:32 bytes:12805 > smtp frames:59 bytes:27203 > rmi frames:14 bytes:5110 > unreassembled frames:24 bytes:4000 > dns frames:1 bytes:1423 > short frames:1 bytes:1423 > ssh frames:1 bytes:75 > short frames:1 bytes:75 > gtp frames:1 bytes:206 > ldap frames:5 bytes:3204 > short frames:4 bytes:3136 > udp frames:774 bytes:159268 > dns frames:711 bytes:145595 > short frames:687 bytes:144149 > kerberos frames:14 bytes:7435 > short frames:14 bytes:7435 > ntp frames:17 bytes:1530 > short frames:17 bytes:1530 > bootp frames:3 bytes:1026 > short frames:3 bytes:1026 > data frames:8 bytes:480 > nbns frames:9 bytes:1361 > short frames:8 bytes:1263 > snmp frames:8 bytes:974 > short frames:6 bytes:732 > cldap frames:1 bytes:237 > short frames:1 bytes:237 > malformed frames:1 bytes:60 > nbdgm frames:2 bytes:570 > short frames:2 bytes:570 > icmp frames:25 bytes:1926 > short frames:16 bytes:1256 > esp frames:1 bytes:154 >============================================ > > >As you can see, I captured the frames with tcpdump limiting the >captured frame size to 68 bytes so there are several frames that are >truncated. >That is why you can see under almost each protocol a "short" line. > >The problem is that tshark seems to "forget" (or cannot classify) >several frames in the TCP frame count. But only in the TCP frames, not >UDPs. > >When you take the total of TCP frames: "frames:25921", the sum of each >protocol in the TCP column immediately "under" the TCP column (without >"short") is only 19359 > >http frames:11289 bytes:13681015 >data frames:765bytes:232183 >ssl frames:5330bytes:5761777 >short frames:1479bytes:1337465 >tpkt frames:182 bytes:39858 >nbss frames:178 bytes:163832 >dns frames:32 bytes:12805 >smtp frames:59 bytes:27203 >rmi frames:14 bytes:5110 >unreassembled frames:24 bytes:4000 >ssh frames:1 bytes:75 >gtp frames:1 bytes:206 >ldap frames:5 bytes:3204 > >So there are 25921 - 19359 = 6562 missing frames. > >I have the same behavior with 20 other files containing each 2.000.000 >frames, there are 500.000 TCP frames that are not counted on >average.... > >Do you see where the problem is? (I hope I made myself clear ;)) > >Thanks! > >Florent >___________________________________________________________________________ >Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >Archives: http://www.wireshark.org/lists/wireshark-users >Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] tshark protocol hierarchy statistics frames count
- From: Florent Deybach
- [Wireshark-users] tshark protocol hierarchy statistics frames count
- Prev by Date: [Wireshark-users] tshark protocol hierarchy statistics frames count
- Next by Date: Re: [Wireshark-users] gratuitous ARP
- Previous by thread: [Wireshark-users] tshark protocol hierarchy statistics frames count
- Next by thread: [Wireshark-users] I/O Graph
- Index(es):