Hello, I have 16 seconds trace file. I need see packets during 1 second. I use the following display filter: frame.time >= "Nov 10, 2013 11:22:09.000000000" and frame.time < "Nov 10, 2013 11:22:10.000000000" I verify the operation, I check first and last packets on the filtered list and I see correct Arrival Times:
I select Statistics->Summary and I see displayed Bytes: 2000000 Next I copy above filter to IO Graphs (I have settings: 1s Tick Interval). I would like to see one dot on the chart. But I see two dots. When I copy to CVS I see two values, one after the other:
The sum of these values gives good results: 2000000. But these two values are assigned to two consecutive seconds. It means that my all charts are wrong :( On the chart I should have 2000000 in one second (one dot) - not separated data to two different seconds. Why IO Graphs does not understand my filter rule? IO Graphs think that I need 9th second from the beginning of trace file (Time column). Please do not tell me that I must always export selected packets to new file and run IO Graphs after that :( asked 09 Nov '13, 16:47  net16 edited 09 Nov '13, 16:57 |
One Answer:
O.K. I won't tell you that ;-) Reason for your 'problem': The IO Graph values are calculated from the beginning of the file and not from the beginning of the first filtered frame. So, your filtered frames my fall into two 1-second calculation intervals. Solution: Set a 'Time Reference'.
As a result, the time interval for the IO Graph now starts at the Time Reference (with time delta 0) and you will get only one dot per 1-second interval. Then clear the Time Reference (Edit -> Unset All Time References) and repeat the steps with another display filter. Regards answered 10 Nov '13, 03:25  Kurt Knochner ♦ edited 10 Nov '13, 03:29 showing 5 of 8 show 3 more comments |
Dear Kurt, thank you again for your time and help nice words :)
I have tested your solution. Unfortunately it does not work as good as I need. It shows sum of bits (dot) on first second on the chart. I need compare results of both charts (main and one second) between 9 to 10 s - in IO Graphs.
I have long trace files. I need filter packets in based on their timestamps. Why I have to look into time of file beginning? I want to display specified packets with timestamps that were assigned by router:
frame.time >= "Nov 10, 2013 11:22:09.000000000" and frame.time < "Nov 10, 2013 11:22:10.000000000"
It should not have anything common with file time referencing. You should use another filter for it, something like that:
time >= "00:00:09" and time < "00:00:10"
But I am affraid that similar filter does not exist ;)
I have prepared a lot of results with filter in based on timestamps and I did not know that Wireshak does not know what does timestamps is :( I repeatedly filtered: first 1hour from 10hours, 30min from 1hour, next 10min, 1min, 1s from one trace file. How can I do this process correctly? Regards.
Based on your last comment, I think I don't understand what you are trying to do.
Can you post a small sample capture file with a detailed description what you need and what you get (instead) by using IO graphs?
Kurt, I cannot attach the sample because it is big file and it would be difficult for the problem demonstration. But I write the problem particularly. It is my pcap file:
1 0.000000 A B (arrival time 11:22:00.016544000)
2 0.001200 C D (arrival time 11:22:00.017744000)
3 0.005687 E F (arrival time 11:22:00.022231000)
...
1000 0.994555 I J (arrival time 11:22:01.010531000)
1001 0.999555 G H (arrival time 11:22:01.011031000)
1002 1.001222 K L (arrival time 11:22:01.011197700)
You can see that I have correct time reference (from 0.000000). Look that second sec. of timestamps (arrival time from 11:22:01 to 11:22:02) begin at no. 1000 of frame, eg. 0.994555 time of file. IO graph will show for second interval (from 1 to 2 arrival time) two dots: first - sum of bits from 0 to 1 for 1000 and 1001 frames and second - sum of bits from 1 to 2 (because it looks on time of frame as you wrote). I set "dot" in the style of graph.
Ok, I can use Time shift for all packets by -0.016544 and get:
1 0.000000 A B (arrival time 11:22:00.00000000)
2 0.001200 C D (arrival time 11:22:00.001200000)
3 0.005687 E F (arrival time 11:22:00.005687000)
...
1000 0.994555 I J (arrival time 11:22:00.994555000)
1001 0.999555 G H (arrival time 11:22:00.999555000)
1002 1.001222 K L (arrival time 11:22:01.000122000)
Now I have second sec. started from 11:22:01.000122000. It seems to be good. But it means 1001 frames during first interval (from 0 to 1) and incorrect sum of packets. In the original file I have 999 frames in this interval of arrival time.
Is it more clear?
O.K. apparently the IO graph does not work as you might need it, although I can't really follow your example.
Why is it important if there are 999 or 1001 frames in a 1 second calculation interval?
Maybe we are talking about the wrong things. What are you trying to do? Maybe there is a better solution than using IO graphs.
Kurt, I need to measure how many data were transmitted during such specified interval, let say 1 sec, in based on timestamp (arrival time). If I look on the packets I see their arrival times then I can count manually the sum of packets (for example 999). But I cannot add packets always manually, it should be automatic process. Therefore I use Copy button in the IO Graph, paste and see numbers of packets in each interval. And I obtain mistakes, for example 1001 packets as in my example. Wireshark does not understand what arrival time is. It think that I want to count from the beginning of trace file. Wireshark have no problem with correct displaying but graph and copying from IO Graph shows improper values. Both of these should be the same. I should not display another data and copy from IO Graph another data. It looks like software bug. Have you any idea how can I work around the problem?
O.K. then I suggest to use tshark to print the necessary values and then use a script or a spreadsheet software to calculate whatever you need, instead of doing the whole thing manually in the GUI with IO graphs!
Now feed output.csv into your script (perl, python, whatever) or load it into a spreadsheet software and run your calculations.
Kurt, sorry, but it is not true. IO Graphs is the best for these operations. I have IO Graph, I write such filter in the Graph2 field and another filter to in the Graph3 field, and simply click on Copy i paste to spreadsheet software. That's all :)
Wireshark has critical problem with IO Graphs. People do not know that their charts in IO Graphs are incorrect. IO Graphs misinterprets timestamps (arrival times) and cannot count packets if the filters are used. Or we do not know how we can do it properly ;)
Regards
well, it may be the best method for you. ;-)
I don't see why a manual process is better or faster than a scripted solution, where you can do all you need within a few seconds (printing values, calculation, creating spreadsheets and sending the results via e-mail) and with whatever accuracy you need.
I don't think so. IO graphs are used for what their names indicates: graphing values to get a rough overview about traffic pattern. For me a graph is never an instrument for 110% accurate calculations ;-)
Furthermore I simply can't follow your sample (problem description) without some sample data. I've done my own tests and it worked in every case as I described it in my answer and as I had expected it to work.
But, never mind: If you want to solve your problem with IO graphs, go ahead and do that. There is no overall best solution for a certain class of problems, just the best solution in a certain environment ;-)