First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

stumbling over use of io,stat,0,SUM...

I would like to use tshark to SUM tcp.delta_time in a pcap. But clearly I'm fumbling something. Pointers?

tshark 2.6.10

guru> tshark -r sample.pcapng –Y tcp.dstport==443 -o tcp.calculate_timestamps:TRUE -z io,stat,0,"SUM(tcp.time_delta)tcp.time_delta"
guru> tshark: "" was unexpected in this context

Seems to me that the use of "" is required in this context ... what is this error telling me?

tshark 3.20.0

C:\Temp>tshark -r sample.pcapng -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z io,stat,0."SUM(tcp.time_delta)tcp.time_delta"

tshark: invalid "-z io,stat,<interval>[,<filter>][,<filter>]..." argument

C:\Temp>

Seems like tshark is interpreting this line as belonging to the standard class of '-z io,stat' lines ... whereas I would prefer that it interpret my options as belonging to the "COUNT|SUM|MIN|MAX|AVG|LOAD" approach (https://www.wireshark.org/docs/man-pa...) ... but again, i don't see why tshark is interpreting my options this way

Googling, I can find syntax which looks similar to me https://seclists.org/wireshark/2011/N... https://www.wireshark.org/lists/wires...

But apparently, I'm not copying as accurately as I would like from these past posts.

Suggestions?

--sk

Stuart Kendrick

Stuart Kendrick's avatar
1
Stuart Kendrick
asked 2020-01-07 19:10:30 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-01-07 22:38:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Output of tshark -v or confirm this is on Windows. (C:\Temp> in question)
Oops - missed the examples were from Windows and some other OS.

Chuckc's avatar Chuckc (2020-01-07 19:46:20 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Windows syntax:

C:\>tshark -r .\smtp.pcap -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z io,stat,0,SUM(tcp.time_delta)tcp.time_delta

============================================
| IO Statistics                            |
|                                          |
| Duration: 9.198 secs                     |
| Interval: 9.198 secs                     |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 9.198 | 7.577713 |              |
============================================

Linux:

root@kali:~# tshark -r ./nfl_short.pcapng  -Y tcp.dstport==443 -o tcp.calculate_timestamps:TRUE -z io,stat,0,SUM\(tcp.time_delta\)tcp.time_delta
Running as user "root" and group "root". This could be dangerous.

============================================
| IO Statistics                            |
|                                          |
| Duration: 3.144 secs                     |
| Interval: 3.144 secs                     |
|                                          |
| Col 1: SUM(tcp.time_delta)tcp.time_delta |
|------------------------------------------|
|                |1         |              |
| Interval       |    SUM   |              |
|---------------------------|              |
| 0.000 <> 3.144 | 3.168073 |              |
============================================
root@kali:~#
Chuckc's avatar
3k
Chuckc
answered 2020-01-07 19:52:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Instead of escaping "troublesome" characters in the command line you can also quote them, e.g.

tshark -r ./nfl_short.pcapng  -o tcp.calculate_timestamps:TRUE -Y tcp.dstport==443 -z "io,stat,0,SUM(tcp.time_delta)tcp.time_delta"

Might be more helpful to show the parameters in the same order so that folks don't think it's significant for the OS.

grahamb's avatar grahamb (2020-01-07 22:41:28 +0000) edit
more
  • delete

I happen to be a big fan of the "\" backslash. Especially when trying to remember if it takes 3, 4 or 5 to escape a regular expression in sed or grep. :-)

The issue in the original question was typos:
- there are extra characters between sample.pcapng and the -Y (copy/paste to vi to see these)
- 0."SUM vs 0,"Sum in the second

Chuckc's avatar Chuckc (2020-01-08 13:43:10 +0000) edit
more
  • delete

I guess the other thing with escapes is that they tend to be OS\shell specific, whereas quotes don't, although what needs to be quoted is another big ball of hair.

grahamb's avatar grahamb (2020-01-08 13:50:49 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer