Method to verify results based on a graph generated in wireshark

Question

I want to write a script where I need to verify the final result (pass/fail) based on a graph generated in wireshark.

Message rate is to be configured for e.g., 25000 and the same is to be verified from graphs.
In wireshark, under "Statistics" menu, "IO Graph" is there. There I need to give different filters for "Graph 1", "Graph 2" and "Graph 3". Three graphs with different colors will be generated.
I need to verify that the rate is exactly same (here 25000) what was configured.

Attaching reference screenshot :-

alt text

To write pcap before sending messages

sudo /usr/sbin/tethereal -i eth2 -q -w Wm_FUN_010.pcap -R diameter

To read pcap after message exchange is done

sudo /usr/sbin/tethereal -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2 && diameter.cmd.code == 265 && diameter.flags.request == 1"

As of now, I know only Graph option to verify the rate, but I am looking for an automated script solution. Is there a way I can do this with Graph or any other method?

I searched for reference but couldn't get any information on this. It will be really helpful if someone can suggest a method or reference to achieve above requirement.

I tried following command which gives count based on time interval, but what I need is, count for a particular protocol message which is 6 for my case.

-bash-3.2$ tshark -q -nr rad_fun_010.pcap -t ad -z io,stat,1,"COUNT(frame.len)frame.len"
===================================================================
IO Statistics
Interval: 1.000 secs
Column #0: COUNT(frame.len)frame.len
|   Column #0
Time            |          COUNT
000.000-001.000                 2
001.000-002.000                 0
002.000-003.000                 9
003.000-004.000                 0
004.000-005.000                 0
005.000-006.000                 0
006.000-007.000                 0
007.000-008.000                 2
===============================================

With “tshark io” related command, getting count might be possible, but couldn’t get enough information on this. Can someone throw some light on how to achieve this?

Answer 1

You can use tshark's -z io,stat option. That command can take display filters as well to generate those types of stats as output which you can then return to the scripted process you're referring to.

Depending on the setup, another way is to use the 'tshark -T fields -e (display filter) -e (display filter)' command to print out columns that you want and pipe them into awk scripts (for example) to generate all the stats you want from them that way. diameter.resp_time would be one example value that you can make use of to calculate min/max/average Diameter response times.

Answer 2

Another option with tshark would be:

tshark -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2 && diameter.cmd.code == 265 && diameter.flags.request == 1" -T fields -e frame.time_relative -e frame.number -e ip.src -e ip.dst -E header=y -E separator=;

or even

tshark -r Wm_FUN_010.pcap -R "diameter.Auth-Request-Type == 2" -T fields -e frame.time_relative -e frame.number -e ip.src -e ip.dst -e diameter.cmd.code -E header=y -E separator=;

Hint: You might need a more recent version of tshark than the tethereal you are currently using ;-)

Take the output of that command and feed it into a spreadsheet or a script and do the analysis yourself. You'll get the time, the frame number (if needed) and the IP addresses (to distinguish different conversations). With that information you can easily calculate the 'message rate'.

Regards
Kurt