This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Verification of counters in a particular range in a packet capture

0

I have got counters based on 2 sec interval.

  • I need to verify that the count should be in range 1200 to 1600. Is there any way we can do it without parsing whole output?

  • If for any particular time interval, the count doesn't fall into matching range, some error/warning message should get printed.

  • Is there any method to get average for this counters?

# tshark -r q4-mme.pcap -qz io,stat,2,"COUNT(frame.time)frame.time"
===================================================================
IO Statistics
Interval: 2.000 secs
Column #0: COUNT(frame.time)frame.time
                |   Column #0
Time            |          COUNT
000.000-002.000              1241
002.000-004.000              1272
004.000-006.000              1315
006.000-008.000              1371
008.000-010.000              1195
010.000-012.000              1299
012.000-014.000              1305
014.000-016.000              1391
016.000-018.000              1463
018.000-020.000              1454
020.000-022.000              1392
022.000-024.000              1438
024.000-026.000              1362
026.000-028.000              1491
028.000-030.000              1392
030.000-032.000              1422
032.000-034.000              1425
034.000-036.000              1486
036.000-038.000              1449
038.000-040.000              1487
040.000-042.000              1402
042.000-044.000              1420
044.000-046.000              1330
046.000-048.000              1458
048.000-050.000              1420
050.000-052.000               144
===================================================================

Total number of time intervals is not static (it will vary).

Please let me know how can I achieve the desired results.

asked 16 Oct '13, 03:52

npatel's gravatar image

npatel
11336
accept rate: 0%

edited 15 Sep '14, 22:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

0

Please let me know how can I achieve the desired results.

By parsing the output and by checking if your defined conditions do match.

Is there any way we can do it without parsing whole output?

No. Who should do it if not you !?! ;-))

The be more precise: There is no built-in mechanism in Wireshark/tshark that will do it for you automatically.

Instead of using tshark, you could create the same with an IO Graph and then check 'visually' (look at the graph) if the COUNT() value exceeds a certain limit.

If for any particular time interval, the count doesn't fall into matching range, some error/warning message should get printed.

As mentioned, there is no automatism in Wireshark/tshark to generate alerts if a traffic pattern meets a certain condition (although that would be a cool feature in Wireshark!). So, it's up to you to parse the tshark output with a script and then generate whatever alert you need.

Is there any method to get average for this counters?

Either do it yourself in a script or feed the tshark output into a spreadsheet software and calculate the average there.

Regards
Kurt

answered 16 Oct '13, 07:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Oct '13, 07:44