This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Error Graphing Using TShark

0

I'm getting a strange error running the following Tshark command in Windows Command Prompt:

tshark -q -r capture.cap -t ad -z io,stat,10,ip.src==213.248.117.35 > output.txt

Towards the end of the capture I am getting a huge number of bytes but no packets.

| 2012-11-26 16:32:02 |      0 | 14403224366743552 |
| 2012-11-26 16:32:12 |      0 | 14403224366743552 |
| 2012-11-26 16:32:22 |      0 | 14403224366743552 |
| 2012-11-26 16:32:32 |      0 | 14403224366743552 |
| 2012-11-26 16:32:42 |      0 | 14403224366743552 |

When I run the same graph in Wireshark I do not have that problem.

Can anyone see my problem?

asked 30 Nov '12, 03:45

chazzquire's gravatar image

chazzquire
6222
accept rate: 0%

edited 30 Nov '12, 04:20

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

what is your tshark version (tshark -v)?

(30 Nov '12, 04:18) Kurt Knochner ♦

1.8.3 Thanks,

(30 Nov '12, 04:21) chazzquire

O.k. at the first glance, it looks like a bug in thsark io stats.

  • Is this a very large pcap file?
  • Is it possible to upload the file somewhere (think about privacy issues!)?
  • what is your OS version?
(30 Nov '12, 04:22) Kurt Knochner ♦

I would prefer not to upload the capture. It is a large file size (almost 1GB) which was captured over 1 hour whilst streaming video. I'll try creating a smaller capture to see if that helps.

(30 Nov '12, 04:55) chazzquire

What is you OS version?

(30 Nov '12, 05:07) Kurt Knochner ♦

I've no tried this with 200MB files and I'm having the same problem.

(30 Nov '12, 05:08) chazzquire

Windows 7 Professional

(30 Nov '12, 05:10) chazzquire

can you further reduce the file (half, half, half) to see, if there is any size related issue?

(30 Nov '12, 05:34) Kurt Knochner ♦

I've downgraded to 1.6.x and this problem is no longer occurring.

(30 Nov '12, 05:37) chazzquire
showing 5 of 9 show 4 more comments

One Answer:

0

I've downgraded to 1.6.x and this problem is no longer occurring.

O.K. so, it looks like a bug. Can you please:

  1. Try it with the latest 1.9 version ( http://www.wireshark.org/download/automated/win32/ )
  2. If that does not work either, file a bug report at bugs.wireshark.org

Regards
Kurt

answered 30 Nov '12, 05:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Nov '12, 05:45

Ok, it's not working in 1.9 either so i'll report it.

The "-t ad" addition you gave me yesterday doesn't work in 1.6. Do you know any other way that I can show date and time?

(30 Nov '12, 05:54) chazzquire

The "-t ad" addition you gave me yesterday doesn't work in 1.6.

Yes, I've seen that in the meantime. I believe that has been added after 1.6.

Do you know any other way that I can show date and time?

Only by rewriting the output of tshark with a script. Get the date/time of the first frame and then add the seconds of the tshark output to that date/time. Perl and Date::Calc may help.

UPDATE: Or, run the io stats with 1.6 and 1.8 and take the date/time stamps from the 1.8 output and the data from the 1.6 output.

(30 Nov '12, 06:14) Kurt Knochner ♦