This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark io,stat, filtering broken in 1.8.x?

0

Hi all,

i was just trying to use filters in tshark -r file.pcap -qz io,stat,0,filter1,filter2,filter3... which works perfectly up to 1.6.x but in my 1.8.2 tshark always just throws me the all packet statistics without any filter and without displaying multiple coloumns like one per filter which it should do and always did with pre-1.8 versions.

Any suggestions or did I overlook something in the release notes like syntax change or anything?

asked 18 Sep '12, 23:53

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 18 Sep '12, 23:53


2 Answers:

2

Could this be a locale-related problem? What happens if you try one of these?:

tshark -r trace.pcap -qz io,stat,0.0,stp,ip,icmp

or

tshark -r trace.pcap -qz io,stat,0,0,stp,ip,icmp

answered 22 Oct '12, 10:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Sometimes the most obvious doesn't catch one's eyes - thanks a lot - that's exactly what is happening here... although I'm still wondering why Portable_1.6.x works just fine

Thanks a lot - made my day

(23 Oct '12, 00:22) Landi
D:\Traces>tshark -r trace.pcap -qz io,stat,0,0,tcp.port==80
OOPS: dissector table sctp.ppi doesn't exist
Protocol being registered is Datagram Transport Layer Security
| IO Statistics                   |
| Interval size: 360.0 secs (dur) |
| Col 1: tcp.port==80             |
|---------------------------------|
|                |1               |
| Interval       | Frames | Bytes |
|---------------------------------|
|   0.0 <> 360.0 |     55 | 24992 |
vs.
D:\Traces>tshark -r trace.pcap -qz io,stat,0.0,tcp.port==80
| IO Statistics                    |
|                                  |
| Interval size: 360.0 secs (dur)  |
| Col 1: Frames and bytes          |
|----------------------------------|
|                |1                |
| Interval       | Frames |  Bytes |
|----------------------------------|
|   0.0 <> 360.0 |   1390 | 392606 |
(23 Oct '12, 00:30) Landi

This locale problem was reported in bug 2880, and I had fixed it in r34926; however, it was broken again with r41231 in order to fix bug 6883.

(23 Oct '12, 08:01) cmaynard ♦♦

@Landi, what exactly is your locale? I'm trying to recreate this problem, but whenever I try to use "0,0" with either a French (Switzerland) or Dutch (Netherlands) locale, I always get the following, which indicates to me that the ',' is not being gobbled up as part of the floating point number as I would expect it to be:

tshark: Couldn't register io,stat tap: Filter "0" is invalid - "0" is neither a field nor a protocol name.

Also, what are your LC_ALL, LANG, etc. environment variables?

(23 Oct '12, 12:10) cmaynard ♦♦

I'm using german Windows7 64-bit with de-de locale. For LC_ALL, LANG etc. I did not spot those under my environmental settings -> is there s specific command to display those?

(24 Oct '12, 00:00) Landi

Thanks for the information. I have committed another fix for this problem in r45770 and scheduled it for 1.8.4.

(24 Oct '12, 10:54) cmaynard ♦♦

Thanks a lot - this really made me go nuts :)

(24 Oct '12, 23:58) Landi
showing 5 of 7 show 2 more comments

1

This is probably related to changes made in response to bug 6883. Due to those changes, there were some adverse performance side-affects reported in bug 7674, which have been fixed and already backported to the 1.8 branch, so they will be part of 1.8.3 and later releases.

Now, whether those latest changes resolve this problem or not is another matter. Can you test with the latest automated build for your platform? If it's still an issue, I'd suggest filing a new bug report.

answered 19 Sep '12, 07:16

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

I just tried svn 45005 32-bit in Windows8 VM, which had the issue resolved. So I'll see in 1.8.3 and report back when I finished testing ;) THX so far

(19 Sep '12, 08:29) Landi

Just tried 1.8.3 64-bit, same thing there :( Any other clues or is the final 1.8.3 code different in that perspective from svn 45005?

Don't know if that might be related but an old 1.2.x has the same issue or that feature wasn't implemented back then

(16 Oct '12, 07:35) Landi

OK, if 1.8.3 still has a problem but that problem isn't present in the latest trunk, then very likely something else still needs to be backported. I'm just not sure what that would be at the moment. Probably still a good idea to file a bug report.

(17 Oct '12, 07:22) cmaynard ♦♦

I figured 1.8.3 32-Bit doesn't have the problem, neither does svn 45656 for 32-bit, so I think this is related to 64-bit only versions.

Can anyone else confirm this or does someone not have this issue running 64-bit 1.8.x Versions?

(19 Oct '12, 06:20) Landi

I just tried this with 1.8.3 as well as r45660, and for the test I ran, it worked just fine whether running on Windows XP SP3 32-bit or Windows 7 64-bit. Are you using stock or customized Wireshark versions? Perhaps it's related to your specific capture file and/or with the specific capture filter(s) you're using?

(19 Oct '12, 12:34) cmaynard ♦♦

I also tried creating a fresh "default" profile and running tshark with those settings -> same result and also totally independent of the trace file I select.

My Standard Profile just has Reassembly IP/TCP disabled, additional coloumns, non-default coloring rules and that's all.

Below I attached a screen of both tries, upper version is installed 1.8.3 on Win7-64Bit, lower version is portable Apps working just fine with same call.

Edit: formating not working as expected -> snipped to essentials, sorry for the layout, hope you see the difference

(19 Oct '12, 12:49) Landi

D:\Traces>tshark -r trace.pcap -C clitest -qz io,stat,0,stp,ip,icmp

OOPS: dissector table "sctp.ppi" doesn't exist

Protocol being registered is "Datagram Transport Layer Security"

| Interval | Frames | Bytes | |----------------------------------| | 0.0 <> 360.0 | 1390 | 392606

D:\Traces>\PortableApps\WiresharkPortable_1.6.8\App\Wireshark\tshark -r trace.pcap -qz io,stat,0,stp,ip,icmp

IO Statistics Column #0: stp Column #1: ip Column #2: icmp | Column #0 | Column #1 | Column #2

(19 Oct '12, 12:51) Landi

For me, this works with 32-bit or 64-bit as I indicated and as can be seen using the wwwww.pcap file from the Wireshark menagerie, which contains stp, ip and icmp packets:

C:\wireshark\trunk>wireshark-gtk2\tshark.exe -qz io,stat,0,stp,ip,icmp -r wwwww.pcap

| |1 |2 |3 | | Interval | Frames | Bytes | Frames | Bytes | Frames | Bytes | | 0.0 <> 2175.3 | 1072 | 64320 | 1948 | 1169317 | 8 | 592 |

Something with your configuration file then?

(19 Oct ‘12, 13:24) cmaynard ♦♦

I have no clue where to look - what kind of configuration could possibly be not affected by creating and using a complete fresh profile? Or otherwise: Is there another way to force tshark to use a specific/default profile?

(22 Oct ‘12, 03:15) Landi

You can use ‘tshark -C <profilename> …’ to select a specific profile.

(22 Oct ‘12, 05:58) SYN-bit ♦♦

Yeah, I already did with a freshly created default profile like in the screens above - that’s why I was wondering where else there might be some “settings”

(22 Oct ‘12, 07:43) Landi
showing 5 of 11 show 6 more comments