This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IO Graph dns.time when filtering for dns.time<=.1 (tried 0.1 too) less than a tenth of a second

0

I have a file that has 1 million packets captured in it. When loading in the file, I filtered it with the filter of dns.time<=0.1. I then tried to create a graph via Statistics|IO Graph. I set the Y access to Unit:Advanced... Set Filter:dns.time<=0.1, Calc:AVG(*)dns.time. The capture shows that the time span (x Axis) shows 260s. However, the graph shows all but approximately the last 5 data points (seconds) as the maximum on the graph.

Am I experiencing a bug or am I specifying the graph parameters incorrectly?

I originally tried to graph things without putting a filter cap on the data (which lead me to load the data with a ceiling filter on dns.time).

How can I extract the dns.time data in csv format with timestamps?

asked 31 Jan '13, 07:19

PacketLooker's gravatar image

PacketLooker
11112
accept rate: 0%

I'm having problems to understand the problem description. Can you please add a screenshoot of the IO Graph window?

(05 Feb '13, 13:58) Kurt Knochner ♦

One Answer:

0

OK, I was able to reproduce the issue on my Mac. The problem is the binding of responses to requests. It is based on the dns transaction id in combination with the source/destination ip addresses and ports. When there is a collision, the dns.time will be negative for some of the requests. In my case, this happens for the MDNS packets sent by my mac, as they have the same ports (5353) and IP addresses and transaction id (0x0000).

When you use the filter "dns.time>0 and dns.time<=0.1", do you get better results?

answered 05 Feb '13, 15:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%