This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get the iostats near realtime from tshark ?

0

Hi All,

 I am trying to plot the stats output from tshark. I want to know if there is a way i can print the stats every few seconds rather than printing at the end. It will be of great help for me.

Thanks is advance

This question is marked "community wiki".

asked 20 Nov '13, 02:25

Kiran's gravatar image

Kiran
16113
accept rate: 0%

2 Answers:

0

I've done what you're trying to do, sort of. My approach was:

  • Use dumpcap to perform automated captures over a short time period (short as in 5 minutes or 15 minutes.)
  • Use tshark -z io,stats option to pull packet counts matching various display filters to use as graph metrics
  • Take those metrics and add them to the end of an incrementing .csv file with a timestamp column.
  • Use a web dashboard utility (in my case, I used open flash chart, http://teethgrinder.co.uk/open-flash-chart-2/) to take the .csv file data and generate dynamic chart content.

Now there are a couple things to caution on here:

  • Ensure your -z io,stats is done once against a capture file, and you get all the stats you need from it in one query. This makes it immeasurably more scalable.
  • Be careful about starting the tshark -z query immediately after dumpcap finishes. You may need to delay it for a few time intervals to ensure the file is there to be read.
  • If you want, add an unlink statement against the old capture files based on mtime if you don't want to keep them.
  • Consider how much traffic you need to parse. Dumpcap can probably take it, but tshark is a slower process. Once the time it takes to read a time interval exceeds the time it takes to analyze it and save it, your near-real-time graph concept is over.
  • I can't give you my source code for the above project. I am sorry and wish I could, but for a perl person it's relatively straightforward. :)

answered 20 Nov '13, 19:20

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 20 Nov '13, 19:26

Hi,

Its good to know somebody already tried and got success in similar thing that I want to do. :)

I also observed the same thing with "-z query immediately after dumpcap finishes".

Its ok i will manage writing my own code :).

I also used perl for getting my offline analysis which updates and plots in browser.

I think I will to try pcap directly and see what I can do with that.

Thank you for your feedback. I will getback when if I stuck again in something.

BRs, Kiran

(20 Nov '13, 22:25) Kiran

0

That's only possible with a code change. If you think you need that feature please file an enhancement 'bug' at https://bugs.wireshark.org.

HOWEVER: You request sounds like you are trying to use tshark as a (real time, long term) network monitoring solution. That won't work, as neither Wireshark nor tshark have been developed with that goal in mind. There are well known problems (ever increasing memory usage and others), that will create problems if you run tshark/wireshark for a longer period of time (see other questions).

What kind of statistics do you need? Maybe there are other solutions.

Regards
Kurt

answered 20 Nov '13, 03:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Thanks for quick answer. I am actually trying to simulate the behavior of IO Graph in wireshark. (It has 5 filters from which it can generate graphs updating after every few seconds. I don't know whether it is possible to add more filters to it. And I want to know whether Lua can be of any help regarding adding more filters in IOGraph of wireshark.)

I want to actually do the same thing by sending data to a CSV file and plot in a browser. Regarding the size of the buffer, if i want to plot some kind of data say every 1 sec, it is sufficient it just stores upto 'n' sec(if it calculates the required data that required for the graph in that time) and do this in circular manner. Cos I don't require any more analysis than the graphs that I want to plot.

I hope I made myself clear here.

BRs, Kiran

(20 Nov '13, 03:47) Kiran

I hope I made myself clear here.

clear enough to understand what you are trying to do ;-)

However, as I mentioned you are (apparently) trying to use tshark as a real time, long term network monitoring solution. That's not going to work due to the way tshark/Wireshark was designed.

Unless you need the 'power' of the Wireshark dissectors to extract some fields from an esoteric protocol, there might be better network (performance) monitoring tools available. Mr. google will help.

If however, you need the 'magic power' of wireshark/tshark dissectors, I have bad news for you: You won't be able to implement what you are looking for with tshark/Wireshark.

See the discussions with @hoangsonk49 about a similar problem:

http://ask.wireshark.org/questions/25794/tshark-generate-core-dump
http://ask.wireshark.org/questions/26563/smaller-tshark-for-specific-protocol
http://ask.wireshark.org/questions/25984/what-does-processing-speed-of-dissectors-depend-on
http://ask.wireshark.org/questions/25091/wireshark-tshark-out-of-memory-problem

Just for the records: What kind of filters do you use in IO graphs?

(20 Nov '13, 08:06) Kurt Knochner ♦

Hi Kurt,

Thanks again for your reply. My Filters are very simple. I am trying to see how much bandwidth my application is taking on some port and some ip -- which depends on my estimation algorithm. In turn i am validating my algorithm. I can actually do that offline also but i wan t to do that by plotting the data on a browser. The reason I am trying Wireshark is that some times i need to analyze data also. I don't want to use two tools for that purpose.

And thanks for taking time in searching and giving those links which were helpful.

BRs, Kiran

(20 Nov '13, 22:15) Kiran