This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark BYTES (stats) does not match wireshark “Cumulative Bytes”

0

Basically I'm trying to get a total amount of bytes transferred per port (22, 5900, 5901, etc) but tshark does not seem to give the same results as wireshark... what am I doing wrong? I've tested this with wireshark/tshark 1.12.5 on win7 and tshark 1.10.6 on Ubuntu linux, same results. All tests reading from the same pcap file.

I added "Cumulative Bytes" as a column then applied a filter: "tcp.port==22". Cumulative bytes at the bottom for this filter is 396974.

Tshark gives me 71578 bytes from the same data:

tshark.exe -r tcpdump.pcap -qz io,stat,0,,"BYTES()tcp.port==22"

Using tshark, how can I get a statistical dump of the total tx/rx bytes per port (tcp.port) from the entire file based on a list of ~ 20 specific ports ? (it would be lot faster then running wireshark filters manually then copying the last "Cumulative Bytes" value each time)

asked 19 May '15, 13:19

CptFuzzy's gravatar image

CptFuzzy
6113
accept rate: 0%

edited 19 May '15, 16:05

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

1

Can you post a sample capture file, to cloudshark for example?

(19 May '15, 14:19) cmaynard ♦♦

I can't post the file I'm working on as it has real IP's in it... I'll try and create another file that i can share and reproduce the problem. Is "BYTES()tcp.port==22" the correct method to get all the traffic for that port?

(19 May '15, 15:44) CptFuzzy
1

Is "BYTES()tcp.port==22" the correct method to get all the traffic for that port?

I don't know. If there's IP fragmentation occurring, for example, it might not be. Or maybe it is and there's a Wireshark bug. Or perhaps there's a Wireshark preference setting that needs to be changed. Or maybe running tshark with other options, such as the -2 option, for example, might give you the output you need. It's hard [for me] to say without looking at a sample capture file.

(19 May '15, 16:04) cmaynard ♦♦

Thanks for the comments. I'll try to get a 'clean' capture file and start again. Thanks for the cloudshark link - could be useful.

(20 May '15, 07:44) CptFuzzy

@CptFuzzy

You can use TraceWrangler to anonymize your capture file and then post the anonymized one.

(20 May '15, 07:51) grahamb ♦

One Answer:

1

In general it works (same values in the GUI and tshark). I just tested with 1.12.1 on Win7. So, the problem could be related to your capture file.

Can you please test with the following test file to see if you get the same result as I do.

Test file: https://www.cloudshark.org/captures/60efe7c0e18b

tshark.exe -r http.pcapng -qz io,stat,0,,"BYTES()tcp.port==80","BYTES
()tcp.srcport==80","BYTES()tcp.dstport==80"

==========================================
| IO Statistics                          |
|                                        |
| Duration: 0.688 secs                   |
| Interval: 0.688 secs                   |
|                                        |
| Col 1: BYTES()tcp.port==80             |
|     2: BYTES()tcp.srcport==80          |






3: BYTES()tcp.dstport==80











Interval




—————————————-




0.000 <> 0.688




==========================================
alt text
Regards





Kurt
answered 19 May ‘15, 21:48
Kurt%20Knochner's gravatar image
Kurt Knochner ♦





24.8k1039237





accept rate: 15% 
 edited 19 May ‘15, 21:49 
Thank you for your answers. I will try a few things and post results. In the mean-time, is there a way to validate my pcap file? perhaps remove incomplete/invalid records?
(20 May ‘15, 07:42) CptFuzzy
is there a way to validate my pcap file? perhaps remove incomplete/invalid records?
Hard to tell without access to the capture file.
(24 May ‘15, 02:47) Kurt Knochner ♦