This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark IO stat analysis with v1.8.5

0

I'm using a command such as the following to:

tshark.exe -q -z "io,stat,60,ip.src==myhost.co.uk" -r Monday.pcap > MonOutboundStats.txt

With the aim of determining how much traffic is going out from "myhost.co.uk". However, when I look at the resulting stats file it doesn't add up. The first few rows make sense but then I get the same figure repeated in column 2 (118799631). If I understand correctly, the first column is unfiltered and should show me the total IO (both in and outbound). Therefore my second filtered column you would not expect to see values that are greater than the first column.

| Interval | Frames | Bytes | Frames | Bytes |

|---------------------------------------------------------|

...

| 44940 <> 45000 | 69 | 9922 | 36 | 4470 |

...

| 121140 <> 121200 | 4 | 336 | 0 | 118799631 |

| 121200 <> 121260 | 1 | 243 | 0 | 118799631 |

| 121260 <> 121320 | 0 | 0 | 0 | 118799631 |

| 121320 <> 121380 | 0 | 0 | 0 | 118799631 |

| 121380 <> 121440 | 0 | 0 | 0 | 118799631 |

| 121440 <> 121500 | 0 | 0 | 0 | 118799631 |

...

Have I missed something here?

I'd like to end up with a command I can used to see how much traffic is going in and out from my host, similar to:

tshark.exe -q -z "io,stat,60,ip.src==myhost.co.uk,ip.dst==myhost.co.uk" -r Monday.pcap > MonOutboundStats.txt

asked 06 Feb '13, 02:18

billbofagends's gravatar image

billbofagends
26225
accept rate: 0%

A similar experiment works for me, can you share your capture file?

(06 Feb '13, 04:24) grahamb ♦

One Answer:

0

This is a bug in tshark-1.8.x (i know because I filed it!) You can learn more here:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8066

Dropping back to 1.6 will solve the io,stat issue, but then you won't have all the goodies that come with 1.8.

answered 06 Feb '13, 06:36

zachad's gravatar image

zachad
331149
accept rate: 21%