This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does Wireshark have an expert analysis function?

0

Does Wireshark have an expert analysis function?

asked 26 Apr '14, 15:27

fred's gravatar image

fred
267813
accept rate: 0%

edited 27 Apr '14, 13:03

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

What kind of expert knowledge do you need?

(26 Apr '14, 16:33) Kurt Knochner ♦

i care some key indicators, for example, i plan to do statistics on a web server, and need to get average response time,average network time,access number, distribution of return state etc.

(27 Apr '14, 18:43) fred

2 Answers:

2

Sure. Main Menu -> Analyze -> Expert Info. Don't expect it to point out exact problems though, but in defense of Wireshark I have to say that I have never seen a network analyzer that had a good expert.

answered 26 Apr '14, 15:30

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Could you give me some advice about how to more efficiently use expert function?

(26 Apr '14, 15:42) fred

Well, the only thing you can do is go through the expert messages and check if they point to a problem you're looking for.

(26 Apr '14, 16:32) Jasper ♦♦

can you give a real example?

(27 Apr '14, 18:44) fred

Example: the expert says: "TCP Zero Window segment", which is a pretty good warning sign that the performance of the receiving node is not good enough to handle the load of incoming packets.

Now check if that node recovers from that Zero Window state within a few milliseconds or even microseconds by looking for "Window Updates" - if so, the zero window is still not good, but may not be the problem you're looking for, because the delay it caused is so small that it doesn't matter.

(28 Apr '14, 05:09) Jasper ♦♦

can you give more examples about expert info? i have no idea how to use those expert info.

(28 Apr '14, 18:01) fred

1

i plan to do statistics on a web server, and need to get average response time,average network time,access number, distribution of return state etc.

O.K. you won't get that from Wireshark out of the box, as the HTTP stats don't work at that level of detail. However, you can create all those stats by using tshark (CLI tool) and some scripting.

If that is an option for you, meaning you know how to script something, please report back and I'll post more details.

Regards
Kurt

answered 28 Apr '14, 08:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

hi,Kurt could you give some script examples to get those key indicators by using tshark?

(28 Apr '14, 18:03) fred