This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In the following version...

TShark 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10)

Is this expected?

sudo /usr/local/bin/tshark -n -q -r cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -z io,stat,0,"COUNT(radius.code)radius.code" 'radius.code==2'

============================================
| IO Statistics                            |
|                                          |
| Interval size:   407.0 secs (dur)        |
| Col 1: Frames and bytes                  |
|     2: COUNT(radius.code)radius.code     |
|------------------------------------------|
|                |1                |2      |
| Interval       | Frames |  Bytes | COUNT |
|------------------------------------------|
| 0.0 <> 86307.0 |     59 |  22868 |    59 |
============================================

sudo /usr/local/bin/tshark -n -r cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -z io,stat,0,"COUNT(radius.code)radius.code" 'radius.code==2' | grep Access-Accept | wc -l 1618

Why is there such a difference in counts and what should it be?

asked 30 May '14, 12:52

loner_t's gravatar image

loner_t
11113
accept rate: 0%

edited 30 May '14, 13:46

grahamb's gravatar image

grahamb ♦
19.8k330206


Why is there such a difference in counts and what should it be?

because you are using -q (be quiet) in the first case, which tells tshark to not print a line for every packet in the capture file. As you did not use -q in the second case, you are getting a much larger number of lines, one per frame in the pcap file. That's totally expected behavior. See the man page of tshark.

http://www.wireshark.org/docs/man-pages/tshark.html

Regards
Kurt

permanent link

answered 31 May '14, 07:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks, Kurt. The reason for not using -q in second one was to see and count of actual packets with radius.code==2.

Also, even though my interval is set to 0 in both cases, tshark uses 407.0 seconds as an interval. The man page says, if interval is set to 0, the count function is over the entire duration of the capture, which in my specific case is roughly 24 hours.

Am I interpreting the man page correctly? The goal is to count the number of packets with radius.code==2 accurately.

(31 May '14, 08:08) loner_t

The goal is to count the number of packets with radius.code==2 accurately

Then please try this (not tested):

tshark -nr cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -Y "radius.code==2" | grep Access-Accept | wc -l

(01 Jun '14, 15:56) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×16

question asked: 30 May '14, 12:52

question was seen: 3,484 times

last updated: 01 Jun '14, 15:57

p​o​w​e​r​e​d by O​S​Q​A