This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a tshark -z QOS | DSCP way to get QOS statistics?

Basically i'm looking to answer the following question on many large, tracefiles: what value did the ip.dsfield.dscp have for each packet, so i can answer questions as , what percentage of the traffic was in Expedited Forwarding and what in other classes etc. tshark -z would be great to gather these, would it not? Or is there a way to count a certain field in tshark?

ip.dsfield.dscp qos tshark dscp -z

asked 16 Sep '15, 12:32

Marc
147●10●13●16
accept rate: 27%

One Answer:

By now , i've read up on some of Sake's Blok and Joke Snelders' work and this looks promising:

tshark -r test.pkt -q -z io,stat,300,COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==48",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==46",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==34",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==32",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==26",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==24",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==18",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==16",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==10",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==8",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==4",COUNT"(ip.dsfield.dscp)ip.dsfield.dscp&&ip.dsfield.dscp==0"

alt text

now lets check if the values found are the right amounts ...

answered 17 Sep '15, 08:15

Marc
147●10●13●16
accept rate: 27%

Right, so the values check out, now i've worked it over > 580 traces, got a substantial txt doc,

0.0 <> 118.9 | 5602 | 4024 | 9096 | 0 | 7162 | 0 | 56 | 0 | 0 | 0 | 0 | 1814545 |

did a FIND for 0.0 <> then a copy results to new file in PSPAD, use the | as a delimiter to work it in a spreadsheet .. .. hmm , i might just start marking my own comment as an answer ..

(18 Sep '15, 01:03) Marc