This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to create analysed statistics like wireshark at commandline (with tshark or …)

1

Hi..
Thanks for wonderful Wireshark!
I want to know how can I have analytical statistics (like the image below) like wireshark in commandline.
Is it possible to have it on commandline so that we can read the results to draw graph? (f.x. with tshark, tcpdump,..)
alt text please note that it is important for me to have them real-time like wireshark

Thanks in Advance.

asked 20 Aug '11, 08:20

smc's gravatar image

smc
16113
accept rate: 0%

edited 20 Aug '11, 11:12

joke's gravatar image

joke
1.3k4934

What sort of graph are you thinking of drawing with that statistic? It's not a graph in the sense of a 2D graph of two variables against each other; it might be, for example, a bar graph.

What do you mean by "real-time"? Do you mean that the graph should be displayed in real time and be updated continuously as new packets come in?

(20 Aug '11, 11:55) Guy Harris ♦♦

Thanks for your attention.. I want to graph number of SMPP requests and responses as shown in the wireshark graph.

(20 Aug '11, 22:29) smc

There is no Wireshark graph shown there in your screenshot. There is a window with SMPP statistics shown as text, but there's no graph. To what graph are you referring?

(21 Aug '11, 00:06) Guy Harris ♦♦

3 Answers:

1

Capture filter
According to the Wireshark Wiki you cannot directly filter SMPP protocols while capturing.

You can use TShark with the option -T fields and send the output to a csv file.

$ tshark -r smpp.cap -T fields -e frame.number -e smpp.command_id -e smpp.command_status -E header=y > smpp.csv
frame.number    smpp.command_id smpp.command_status
1
2
3
4       0x00000002
5       0x80000002      0x00000000
6
7       0x00000015
8       0x80000015      0x00000000
9       0x00000004
10      0x80000004      0x00000000
11
12      0x00000006
13      0x80000006      0x00000000
14
15
16
17

Display filter
See the Display Filter Reference for a list of SMPP display filter fields.

Hope this helps somehow.

answered 20 Aug '11, 11:06

joke's gravatar image

joke
1.3k4934
accept rate: 9%

1
Can TShark statistics help you?

Count the number of SMPP Commands $ tshark -r smpp.cap -q -z io,stat,60,COUNT"(smpp.command_id)smpp.command_id",COUNT"(smpp.command_status)smpp.command_status"

IO Statistics Interval: 60.000000 secs Column #0: COUNT(smpp.command_id)smpp.command_id Column #1: COUNT(smpp.command_status)smpp.command_status | Column #0 | Column #1 | Time | COUNT | COUNT | 0000.000000-0060.000000 8 4

Count the number of occurances per SMPP Command ID $ tshark -r smpp.cap -q -z io,stat,60,COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000002",COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000002",COUNT"(smpp.command_id) smpp.command_id&&smpp.command_id==0x00000015",COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000015",COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000004",COUNT"(smpp.com mand_id)smpp.command_id&&smpp.command_id==0x80000004",COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000006",COUNT"(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000006",COUNT"( smpp.command_status)smpp.command_status&&smpp.command_status==0x00000000"

IO Statistics Interval: 60.000000 secs Column #0: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000002 Column #1: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000002 Column #2: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000015 Column #3: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000015 Column #4: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000004 Column #5: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000004 Column #6: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x00000006 Column #7: COUNT(smpp.command_id)smpp.command_id&&smpp.command_id==0x80000006 Column #8: COUNT(smpp.command_status)smpp.command_status&&smpp.command_status==0x00000000 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 | Column #5 | Column #6 | Column #7 | Column #8 | Time | COUNT | COUNT | COUNT | COUNT | COUNT | COUNT | COUNT | COUNT | COUNT | 0000.000000-0060.000000 1 1 1 1 1 1 1 1 4 ==================================================================================================================================================================================



SMPP Command ID
SMPP Requests
Bind_transmitter (0x00000002)
Enquire_link (0x00000015)
Submit_sm (0x00000004)
Unbind (0x00000006)

SMPP Responses
Bind_transmitter - resp (0x80000002)
Enquire_link - resp (0x80000015)
Submit_sm - resp (0x80000004)
Unbind - resp (0x80000006)

SMPP Response Status
Ok (0x00000000)
Here you can find an overview of the SMPP Command ID’s:
http://92.61.226.39/pbook/tcpip9.htm

BTW
You can use this while capture, but you will only see the packet list.
The statistics show up after stopping the capture process by hitting CTRL+C.
$ tshark -i name or idx of interface -z io,stat,60,COUNT"(smpp.command_id)smpp.command_id",COUNT"(smpp.command_status)smpp.command_status"

answered 21 Aug ‘11, 06:23

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 21 Aug ‘11, 06:30

Hi I got different results when I get statistics for a sample SMPP captured file with tshark and wireshark!!

in Tshark with command bellow I have below resulat

tshark -r sample_src_w  -qz io,stat,777777,COUNT"(smpp.command_id)"smpp.command_id==0x80000005,COUNT"(smpp.command_id)"smpp.command_id==0x80000005
Running as user "root" and group "root". This could be dangerous.

=================================================================== IO Statistics Interval: 777777.000 secs Column #0: COUNT(smpp.command_id)smpp.command_id==0x80000005 Column #1: COUNT(smpp.command_id)smpp.command_id==0x80000005 | Column #0 | Column #1 Time | COUNT | COUNT 000.000-777777.000 8724 8724 ===================================================================

but when I count with wireshark it says I have “5343” ‘Deliver - resp’ packages

I also use perl regular expression to count thees packets(tshrak -r smpp.cap | perl mycounter.pl), but I have 5341 packets there…

Could some one help me why is it so and why I have diffrents results for the same file??!

Thanks in Advance.

(16 Sep ‘11, 10:09) shahab

any idea?

I totally got confused :((

(18 Sep ‘11, 07:31) shahab

did you check the time in secs while you are running the tshark command? are the same in wireshark?

(19 Apr ‘13, 07:19) fachav2

1

try this tshark -nr input.pcap -q -z smpp_commands,tree

this is an answer from kurt here: http://ask.wireshark.org/questions/20589/use-tshark-to-get-smpp-operations-results

answered 19 Apr '13, 06:09

fachav2's gravatar image

fachav2
31226
accept rate: 0%

Awesome! That's what I want, thanks!!

(21 Apr '13, 23:52) smc