This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strange results from Statistics

0

Hi,

I need to have a graph for bandwith usage while the client uses a webapp. I captured all packets from the client to the proxy (on the proxy).

But the graph in IO Graph show much more traffic for the one client as the router, between all clients and the proxy, for the whole net.

Then I tried to get the usage per second from tshark

tshark.exe -nr "<File>"  -z "io,stat,1,ip.dst==client&&ip.src==proxy"

But the result is strange too. I often have very huge numbers at the end which can't be true. For example:

=======================================================  
| IO Statistics                                       |  
|                                                     |  
| Interval size: 1 secs                               |  
| Col 1: Frames and bytes                             |  
|     2: ip.dst==client&&ip.src==proxy                |  
|-----------------------------------------------------|  
|              |1                 |2                | |  
| Interval     | Frames |  Bytes  | Frames |  Bytes | |  
|---------------------------------------------------| |  
...  
| 138  4 <> 1385 |    0 |       0 |    0 | 64848607 | |  
| 1385 <> 1386 |     27 |   24532 |    0 | 64848607 | |  
| 1386 <> 1387 |    450 |  425266 |    0 | 64848607 | |  
| 1387 <> 1388 |    891 |  836781 |    0 | 64848607 | |  
| 1388 <> 1389 |    234 |  227972 |    0 | 64848607 | |  
| 1389 <> 1390 |    261 |  253114 |    0 | 64848607 | |  
| 1390 <> 1391 |   1588 | 1514653 |    0 | 64848607 | |  
| 1391 <> 1391 |    170 |  163242 |    0 | 13248269094487389 | |  
=======================================================

Also, why there is an amount of 0 Frames but still a value for Bytes?

The client used only the webapp while capture.

My goal is to see the peaks for traffic. The average usage I got from Summary already.

Thanks in advance.

asked 28 Oct '13, 08:32

crocom's gravatar image

crocom
1112
accept rate: 0%

edited 28 Oct '13, 08:36

One Answer:

1

Also, why there is an amount of 0 Frames but still a value for Bytes?

That's obviously a bug. What is your

  • OS and version
  • Wireshark version (tshark -v)

answered 28 Oct '13, 08:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Version 1.8.6 (SVN Rev 48142 from /trunk-1.8) http://pastebin.com/tv5Q14N7

I have updated to the last stable 1.10.2 and now I get 0 Bytes for 0 Frames. Merci :)

But the IO Graph is still wrong. There are peaks at over 1mbit although the ethernet line only has a max. of 1mbit http://picload.org/image/ocpglrg/iograph.png

(29 Oct '13, 01:24) crocom

But the IO Graph is still wrong.

There are some possible reason for this. Please see here:

http://ask.wireshark.org/questions/25349/utilization-graph-shows-more-than-the-actual-bandwidth

(29 Oct '13, 04:15) Kurt Knochner ♦