Hello: I am trying to use tshark to gather statistics of the conversations between endpoints in a trace file. I would like to get an output similar to what I obtain using Wireshark-> Statistics -> Conversations. For the same trace file, Wireshark takes about 1 minute to compute the statistics. Tshark keeps running and does not finish.. Here is the command I am running: C:\Program Files\Wireshark>tshark -q -z conv,ip -r "C:\captures\file1.pcap" Is there anything wrong? Thank you! Hugo asked 08 Nov '12, 08:42  hugosp |
2 Answers:
tshark uses a tap to collect information for the conversation stats. So, basically it's the same code that wireshark is using and therefore there is no reason why tshark 'conv stats' should be slower than Wireshark stats. So, there must be a problem with your tshark version, your OS config, or the tshark/wireshark configuration. Some questions:
Regards answered 08 Nov '12, 19:27  Kurt Knochner ♦ Hello Kurt, TShark 1.8.3 (SVN Rev 45256 from /trunk-1.8) Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap versio 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008). Regarding the last question, Tshark actually shows two messages (which I have searched I read to be a bug with no special problem): OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security" Actually I have now left it running for half an hour and it did end. I still don't understand why it is so much slower than Wireshark. Your help is very much appreciated! Thanks, Hugo (08 Nov '12, 21:21) hugosp some more questions:
(09 Nov '12, 02:02) Kurt Knochner ♦ My pcap file is 119 MB. I am not sure what you mean by full stats, but I think the answer is yes, I used ->C:\captures\results.txt and the text file has a list of conversations along with the statistics for each. I actually tried to compare the statistics obtained with Wireshark and those with tshark for the same conversation, and the numbers actually do not match exactly... (09 Nov '12, 08:40) hugosp As I cannot observe that behavior on the same system (Win7, 1.8.3), it must be related to either your system, your wireshark configuration or the pcap file. Let's try to sort it out:
(09 Nov '12, 11:41) Kurt Knochner ♦ Hello: So I tried the same command for a smaller pcap file (23 MB) and it worked fine, meaning that the results are the same as those computed by Wireshark and it run in a reasonable amount of time. But I also tried another large pcap file and it again takes too long to run (~40 minutes), much more than Wireshark. Good news is that the results seem to be coherent with the ones from Wireshark. Here is the output of the command you requested: OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security" # TRUE or FALSE (case-insensitive), or a list of address types to resolve. #name_resolve: mtC #name_resolve_concurrency: 500 #name_resolve_load_smi_modules: FALSE #name_resolve_suppress_smi_errors: FALSE # Whether the NCP dissector should echo the NDS Entry ID to name resolves to the expert table. Thanks again, Hugo (10 Nov '12, 13:20) hugosp |
O.K. so, it looks like it's related to the size of the capture file. Strange. I'll do some tests myself. UPDATE tshark (1.8.3) seems to be a notably faster on my system for comparable statistics (tshark: -z conv,tcp; Wireshark: Conversation List -> TCP). I have not checked why tshark is that much faster than Wireshark. Maybe it's due to the GUI overhead (updating the listview while running the statistics). Test #1: 250 MBytes HTTP data
Test #2: 500 MBytes HTTP data
Conclusion: If tshark takes 40 minutes on your system it's either related to the configuration of your system, or you discovered a bug that only shows up in your special environment.
Regards answered 11 Nov '12, 01:19 Kurt Knochner ♦ edited 18 Nov '12, 03:57 Hey, so did you get to any conclusion? Thanks! (17 Nov '12, 14:09) hugosp see my UPDATE in the answer (18 Nov '12, 03:46) Kurt Knochner ♦ Hello: So the CPU usage is around 35% and memory is 2.34 GB. Regarding the Antivirus, I have Symantec endpoint protection, which i believe that came with the computer. I tried to disable it, but the problem persists. Tshark takes much longer than Wireshark. Also, could you please try conv,ip instead of conv,tcp? Thanks again, Hugo (21 Nov '12, 09:17) hugosp same result for conv,ip. However my CPU runs at 100% load all taken by tshark.
Are you sure it was totally disabled? Can you possibly uninstall it? (21 Nov '12, 10:40) Kurt Knochner ♦ Hello Kurt, I tried to run this on my Ubuntu OS and the run time is the same. Do you think you can give me the file you are using or that I give you my file? I am pretty sure it must have to do with the pcap file. Thanks (28 Feb '13, 16:26) hugosp
sure. Just upload it somewhere (google docs, one-click file hoster, etc.) and post the link here. Regards (01 Mar '13, 09:37) Kurt Knochner ♦ Thank you. Here is the file. https://dl.dropbox.com/u/8056002/secs_00000_20120920085905.pcap Let me know how long it takes for you. (01 Mar '13, 13:21) hugosp showing 5 of 7 show 2 more comments |
how big is the file you're trying to read?
it is ~100 MB..
What I find unexpected is that Wireshark is actually faster. In the statistics window, wireshark computes stats for all types of conversations (ip, tcp, etc.) and even shows them. So it would make sense for tshark to be much faster