I am trying to track down the source of some browsing issues and I believe I have narrowed it down to a DNS issue. I can filter on a specific transaction ID and manually calculate the time between the first request and the reply, but I am looking for a way to automatically calculate the data and create an IO graph. Using dns.time only shows the time since the last request and the reply, whereas I would like to see the time between the first request and reply. For example if a DNS request is retransmitted twice, the time from the first request to the reply may be 3.5 sec, but dns.time will show .5 sec since that is the amount of time since the last retransmission. Any ideas? asked 02 Jun '13, 15:50  John Moran |
One Answer:
You could try to create the required relation between the DNS request and the response with MATE, then add a field ('delta_time') and draw an I/O graph based on that field. See also here:
HOWEVER: MATE is quite complex ... Regards answered 04 Jun '13, 12:59  Kurt Knochner ♦ |
I'm wondering if, more simply, something like
tshark -R dns -T fields -e frame.time -e dns.idcould just be piped to an awk script to take first and last of each dns.id value, subtract min from max frame time in the corresponding column, and output the results in a time-sorted x;y format that you could then plot out of excel.That's probably just a few lines of code. I might look at it tomorrow night but this should be relatively straightforward.