This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Analyze per IP

0

I'm desperately trying to determine which clients (IP) are causing a large amount of lag to my server. I have been able to manually scan packet data with IP filters to determine which ones have a large bad packets / total packet ratio, but this is a very labor intensive process. Is there a way to display all clients simultaneously and their "bad" packets / their total packets ratio? Thanks in advance!

Michael

asked 17 Sep '11, 02:32

mikebriggs2k's gravatar image

mikebriggs2k
1111
accept rate: 0%

One Answer:

2

I'm not sure what "you" mean by bad packets, but I assume you are able to create a display filter that will match only the bad packets. In that case, there are two ways of doing this.

In Wireshark:

  • Use the display filter for "bad" packets
  • Go to "Statistics -> Endpoints"
  • Click on the IP TAB
  • Use "copy" to copy the data in CSV format to clipboard
  • Import the data in a tool of choice
  • Now enable the "Limit to display filter" checkmark
  • Again use copy to export the data
  • Use your tool of choice to match the IP addresses in both outputs

In tshark:

The steps are basically the same, but now use the following to commands to create the output:

  • tshark -r <file> -qz conv,ip
  • tshark -r <file> -qz conv,ip<bad-packet-filter>

This assumes the destination address is always the server-ip as tshark will create conversation overviews, not endpoint overviews.

answered 17 Sep '11, 03:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%