This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark conversation statistics

0

Hello:

I am trying to use tshark to gather statistics of the conversations between endpoints in a trace file. I would like to get an output similar to what I obtain using Wireshark-> Statistics -> Conversations. For the same trace file, Wireshark takes about 1 minute to compute the statistics. Tshark keeps running and does not finish.. Here is the command I am running:

C:\Program Files\Wireshark>tshark -q -z conv,ip -r "C:\captures\file1.pcap"

Is there anything wrong?

Thank you! Hugo

asked 08 Nov '12, 08:42

hugosp's gravatar image

hugosp
1336
accept rate: 0%

how big is the file you're trying to read?

(08 Nov '12, 08:47) zachad

it is ~100 MB..

(08 Nov '12, 09:02) hugosp

What I find unexpected is that Wireshark is actually faster. In the statistics window, wireshark computes stats for all types of conversations (ip, tcp, etc.) and even shows them. So it would make sense for tshark to be much faster

(08 Nov '12, 09:11) hugosp

2 Answers:

0

tshark uses a tap to collect information for the conversation stats. So, basically it's the same code that wireshark is using and therefore there is no reason why tshark 'conv stats' should be slower than Wireshark stats.

So, there must be a problem with your tshark version, your OS config, or the tshark/wireshark configuration.

Some questions:

  • what is your tshark version: tshark -v
  • What is your OS version
  • What is the output of tshark until it "freezes"

Regards
Kurt

answered 08 Nov '12, 19:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hello Kurt,

TShark 1.8.3 (SVN Rev 45256 from /trunk-1.8) Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap versio 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008).

Regarding the last question, Tshark actually shows two messages (which I have searched I read to be a bug with no special problem):

OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security"

Actually I have now left it running for half an hour and it did end. I still don't understand why it is so much slower than Wireshark.

Your help is very much appreciated! Thanks, Hugo

(08 Nov '12, 21:21) hugosp

some more questions:

  • how large is your pcap file?
  • did tshark complete with the "full" stats output?
(09 Nov '12, 02:02) Kurt Knochner ♦

My pcap file is 119 MB. I am not sure what you mean by full stats, but I think the answer is yes, I used ->C:\captures\results.txt and the text file has a list of conversations along with the statistics for each.

I actually tried to compare the statistics obtained with Wireshark and those with tshark for the same conversation, and the numbers actually do not match exactly...

(09 Nov '12, 08:40) hugosp

As I cannot observe that behavior on the same system (Win7, 1.8.3), it must be related to either your system, your wireshark configuration or the pcap file. Let's try to sort it out:

  • do you see the same effect with another pcap file?
  • please post the output of the following command:

tshark -G currentprefs | find "resolve"

(09 Nov '12, 11:41) Kurt Knochner ♦

Hello:

So I tried the same command for a smaller pcap file (23 MB) and it worked fine, meaning that the results are the same as those computed by Wireshark and it run in a reasonable amount of time. But I also tried another large pcap file and it again takes too long to run (~40 minutes), much more than Wireshark. Good news is that the results seem to be coherent with the ones from Wireshark. Here is the output of the command you requested:

OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security"

# TRUE or FALSE (case-insensitive), or a list of address types to resolve.

#name_resolve: mtC

#name_resolve_concurrency: 500

#name_resolve_load_smi_modules: FALSE

#name_resolve_suppress_smi_errors: FALSE

# Whether the NCP dissector should echo the NDS Entry ID to name resolves to the expert table.

Thanks again, Hugo

(10 Nov '12, 13:20) hugosp

0

But I also tried another large pcap file and it again takes too long to run (~40 minutes), much more than Wireshark.

O.K. so, it looks like it's related to the size of the capture file. Strange. I'll do some tests myself.

UPDATE

tshark (1.8.3) seems to be a notably faster on my system for comparable statistics (tshark: -z conv,tcp; Wireshark: Conversation List -> TCP). I have not checked why tshark is that much faster than Wireshark. Maybe it's due to the GUI overhead (updating the listview while running the statistics).

Test #1: 250 MBytes HTTP data

  • tshark: 25 seconds
  • Wireshark: 45 seconds

Test #2: 500 MBytes HTTP data

  • tshark: 50 seconds
  • Wireshark: 90 seconds

Conclusion: If tshark takes 40 minutes on your system it's either related to the configuration of your system, or you discovered a bug that only shows up in your special environment.

  • Do you observe high CPU or RAM usage while tshark runs?
  • Do you have any kind of security software installed (Firewall, IDS, Endpoint Protection, Antivirus, and the like)? If so, please disable all of them temporarily and try again.

Regards
Kurt

answered 11 Nov '12, 01:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Nov '12, 03:57

Hey, so did you get to any conclusion? Thanks!

(17 Nov '12, 14:09) hugosp

see my UPDATE in the answer

(18 Nov '12, 03:46) Kurt Knochner ♦

Hello:

So the CPU usage is around 35% and memory is 2.34 GB. Regarding the Antivirus, I have Symantec endpoint protection, which i believe that came with the computer. I tried to disable it, but the problem persists. Tshark takes much longer than Wireshark. Also, could you please try conv,ip instead of conv,tcp?

Thanks again, Hugo

(21 Nov '12, 09:17) hugosp

same result for conv,ip. However my CPU runs at 100% load all taken by tshark.

I tried to disable it, but the problem persists.

Are you sure it was totally disabled? Can you possibly uninstall it?

(21 Nov '12, 10:40) Kurt Knochner ♦

Hello Kurt,

I tried to run this on my Ubuntu OS and the run time is the same. Do you think you can give me the file you are using or that I give you my file? I am pretty sure it must have to do with the pcap file. Thanks

(28 Feb '13, 16:26) hugosp

or that I give you my file? I am pretty sure it must have to do with the pcap file. Thanks

sure. Just upload it somewhere (google docs, one-click file hoster, etc.) and post the link here.

Regards
Kurt

(01 Mar '13, 09:37) Kurt Knochner ♦

Thank you. Here is the file.

https://dl.dropbox.com/u/8056002/secs_00000_20120920085905.pcap

Let me know how long it takes for you.

(01 Mar '13, 13:21) hugosp
showing 5 of 7 show 2 more comments