Ethereal provides a wide range of network statistics. These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured). General statistics: Summary about the capture file. Protocol Hierarchy of the captured packets. Endpoints e.g. traffic to and from an IP addresses. Conversations e.g. traffic between specific IP addresses. IO Graphs visualizing the number of packets (or similar) in time. Protocol specific statistics: Service Response Time between request and response of some protocols. Various other protocol specific statistics. The protocol specific statistics requires detailed knowledge about the specific protocol. Unless you are familiar with that protocol, statistics about it will be pretty hard to understand.

General statistics about the current capture file.

File general information about the capture file. Time the timestamps when the first and the last packet were capturing (and the time between them). Capture information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file). Display some display related information. Traffic some statistics of the network traffic seen. If a display filter is set, you will see values in both columns. The values in the Captured column will remain the same as before, while the values in the Displayed column will reflect the values corresponding to the packets shown in the display.

The protocol hierarchy of the captured packets.

This is a tree of all the protocols in the capture. You can collapse or expand subtrees, by clicking on the plus / minus icons. By default, all trees are expanded. Each row contains the statistical values of one protocol. The following columns containing the statistical values are available: Protocol this protocol's name % Packets the percentage of protocol packets, relative to all packets in the capture Packets the absolute number of packets of this protocol Bytes the absolute number of bytes of this protocol MBit/s the bandwidth of this protocol, relative to the capture time End Packets the absolute number of packets of this protocol (where this protocol were the highest protocol to decode) End Bytes the absolute number of bytes of this protocol (where this protocol were the highest protocol to decode) End MBit/s the bandwidth of this protocol, relative to the capture time (where this protocol were the highest protocol to decode) Packets will usually contain multiple protocols, so more than one protocol will be counted for each packet. Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together much more than 100%).

Statistics of the endpoints captured. If you are looking for a feature other network tools call a hostlist, here is the right place to look. The list of Ethernet or IP endpoints is usually what you're looking for.

A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer. The endpoint statistics of Ethereal will take the following endpoints into account: Ethernet an Ethernet endpoint is identical to the Ethernet's MAC address. Fibre Channel XXX - insert info here. FDDI a FDDI endpoint is identical to the FDDI MAC address. IPv4 an IP endpoint is identical to its IP address. IPX XXX - insert info here. TCP a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP ports on the same IP address are different TCP endpoints. Token Ring a Token Ring endpoint is identical to the Token Ring MAC address. UDP a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. Broadcast / multicast traffic will be shown separately as additional endpoints. Of course, as these endpoints are virtual endpoints, the real traffic will be received by all (multicast: some) of the listed unicast endpoints.

This window shows statistics about the endpoints captured.

For each supported protocol, a tab is shown in this window. The tab labels shows the number of endpoints captured (e.g. the tab label "Ethernet: 5" tells you that five ethernet endpoints have been captured). If no endpoints of a specific protocol were captured, the tab label will be grayed out (although the related page can still be selected). Each row in the list shows the statistical values for exactly one endpoint. Name resolution will be done if selected in the window and if it is active for the specific protocol layer (MAC layer for the selected Ethernet endpoints page). As you might have noticed, the first row has a name resolution of the first three bytes "Netgear", the second row's address was resolved to an IP address (using ARP) and the third was resolved to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff), the last two Ethernet addresses remain unresolved. This window will be updated frequently, so it will be useful, even if you open it before (or while) you are doing a live capture.

Before the combined window described above was available, each of its pages were shown as separate windows. Even though the combined window is much more convenient to use, these separate windows are still available. The main reason is, they might process faster for very large capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.

Statistics of the captured conversations.

A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses. The description of the known endpoint types can be found in .

Beside the list content, the conversations window work the same way as the endpoint ones, see for a description how it works.

Before the combined window described above was available, each of its pages were shown as separate windows. Even though the combined window is much more convenient to use, these separate windows are still available. The main reason is, they might process faster for very large capture files. However, as the functionality is exactly the same as in the combined window, they won't be discussed in detail here.

User configurable graph of the captured network packets. You can define up to five differently colored graphs.

The user can configure the following things: Graphs Graph 1-5 enable the graph 1-5 (only graph 1 is enabled by default) Color the color of the graph (cannot be changed) Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for that graph) Style: the style of the graph (Line/Impulse/FBar) X Axis Tick interval an interval in x direction lasts (10/1/0.1/0.01/0.001 seconds) Pixels per tick use 10/5/2/1 pixels per tick interval Y Axis Unit the unit for the y direction (Packets/Tick, Bytes/Tick, Advanced...) Scale the scale for the y unit (10,20,50,100,200,500,...) XXX - describe the Advanced feature.

The service response time is the time between a request and the corresponding response. This information is available for many protocols. Service response time statistics are currently available for the following protocols: DCE-RPC Fibre Channel ITU-T H.225 RAS LDAP MGCP ONC-RPC SMB As an example, the DCE-RPC service response time is described in more detail. The other Service Response Time windows will work the same way (or only sligthly different) compared to the following description.

The service response time of DCE-RPC is the time between the request and the corresponding response. First of all, you have to select the DCE-RPC interface:

You can optionally set a display filter, to reduce the amount of packets.

Each row corresponds to a method of the interface selected (so the EPM interface in version 3 has 7 methods). For each method the number of calls, and the statistics of the SRT time is calculated.

The protocol specific statistics windows display detailed information of specific protocols and might be described in a later version of this document.