diff options
author | Chris Maynard <Christopher.Maynard@GTECH.COM> | 2012-03-15 14:29:44 +0000 |
---|---|---|
committer | Chris Maynard <Christopher.Maynard@GTECH.COM> | 2012-03-15 14:29:44 +0000 |
commit | a88ab3eccfa467b62f75ba2d5144071a2204c34d (patch) | |
tree | c3e0bbd68ca7b9141e919aacde9974ba2a07e85f /doc/tshark.pod | |
parent | ad9f8fffadf11e6b42688869d552c91f38bc422f (diff) |
Sort the -z options.
svn path=/trunk/; revision=41560
Diffstat (limited to 'doc/tshark.pod')
-rw-r--r-- | doc/tshark.pod | 500 |
1 files changed, 250 insertions, 250 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index e037adc811..f9f7a9c76a 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -750,6 +750,30 @@ Currently implemented statistics are: =item B<-z> camel,srt +=item B<-z> conv,I<type>[,I<filter>] + +Create a table that lists all conversations that could be seen in the +capture. I<type> specifies the conversation endpoint types for which we +want to generate the statistics; currently the supported ones are: + + "eth" Ethernet addresses + "fc" Fibre Channel addresses + "fddi" FDDI addresses + "ip" IPv4 addresses + "ipv6" IPv6 addresses + "ipx" IPX addresses + "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported + "tr" Token Ring addresses + "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported + +If the optional I<filter> is specified, only those packets that match the +filter will be used in the calculations. + +The table is presented with one line for each conversation and displays +the number of packets/bytes in each direction as well as the total +number of packets/bytes. The table is sorted according to the total +number of frames. + =item B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>] Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>, @@ -767,6 +791,154 @@ on those calls that match that filter. Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR SRT statistics for a specific host. +=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>] + +This option enables extraction of most important diameter fields from large capture files. +Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed. + +Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code> + +Example: B<-z diameter,avp> extract default field set from diameter messages. + +Example: B<-z diameter,avp,280> extract default field set from diameter DWR messages. + +Example: B<-z diameter,avp,272> extract default field set from diameter CC messages. + +Extract most important fields from diameter CC messages: + +B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code> + +Following fields will be printed out for each diameter message: + + "frame" Frame number. + "time" Unix time of the frame arrival. + "src" Source address. + "srcport" Source port. + "dst" Destination address. + "dstport" Destination port. + "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk. + "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame. + "is_request" '0' if message is a request, '1' if message is an answer. + "cmd" diameter.cmd_code, E.g. '272' for credit control messages. + "req_frame" Number of frame where matched request was found or '0'. + "ans_frame" Number of frame where matched answer was found or '0'. + "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture. + +B<-z diameter,avp> option is much faster than B<-V -T text> or B<-T pdml> options. + +B<-z diameter,avp> option is more powerful than B<-T field> and B<-z proto,colinfo> options. + +Multiple diameter messages in one frame are supported. + +Several fields with same name within one diameter message are supported, e.g. I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>. + +Note: B<tshark -q> option is recommended to suppress default B<tshark> output. + +=item B<-z> expert[I<,error|,warn|,note|,chat>][I<,filter>] + +Collects information about all expert info, and will display them in order, +grouped by severity. + +Example: B<-z expert,sip> will show expert items of all severity for frames that +match the sip protocol. + +This option can be used multiple times on the command line. + +If the optional I<filter> is provided, the stats will only be calculated +on those calls that match that filter. + +Example: B<-z "expert,note,tcp"> will only collect expert items for frames that +include the tcp protocol, with a severity of note or higher. + +=item B<-z> follow,I<prot>,I<mode>,I<filter>[I<,range>] + +Displays the contents of a TCP or UDP stream between two nodes. The data +sent by the second node is prefixed with a tab to differentiate it from the +data sent by the first node. + +I<prot> specifies the transport protocol. It can be one of: + B<tcp> TCP + B<udp> UDP + +I<mode> specifies the output mode. It can be one of: + B<ascii> ASCII output with dots for non-printable characters + B<hex> Hexadecimal and ASCII data with offsets + B<raw> Hexadecimal data + +Since the output in B<ascii> mode may contain newlines, the length of each section +of output plus a newline precedes each section of output. + +I<filter> specifies the stream to be displayed. UDP streams are selected with +IP address plus port pairs. TCP streams are selected with either the stream +index or IP address plus port pairs. For example: + B<ip-addr0>:B<port0>,B<ip-addr1>:B<port1> + B<tcp-stream-index> + +I<range> optionally specifies which "chunks" of the stream should be displayed. + +Example: B<-z "follow,tcp,hex,1"> will display the contents of the first TCP +stream in "hex" format. + + =================================================================== + Follow: tcp,hex + Filter: tcp.stream eq 1 + Node 0: 200.57.7.197:32891 + Node 1: 200.57.7.198:2906 + 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........ + 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........ + 00000020 1f 00 06 04 00 00 ...... + 00000000 00 01 00 00 .... + 00000026 00 02 00 00 + +Example: B<-z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"> will +display the contents of a TCP stream between 200.57.7.197 port 32891 and +200.57.7.98 port 2906. + + =================================================================== + Follow: tcp,ascii + Filter: (ommitted for readability) + Node 0: 200.57.7.197:32891 + Node 1: 200.57.7.198:2906 + 38 + ..."..... + ................ + 4 + .... + +=item B<-z> h225,counter[I<,filter>] + +Count ITU-T H.225 messages and their reasons. In the first column you get a +list of H.225 messages and H.225 message reasons, which occur in the current +capture file. The number of occurrences of each message or reason is displayed +in the second column. + +Example: B<-z h225,counter>. + +If the optional I<filter> is provided, the stats will only be calculated +on those calls that match that filter. +Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for +H.225 packets exchanged by the host at IP address 1.2.3.4 . + +This option can be used multiple times on the command line. + +=item B<-z> h225,srt[I<,filter>] + +Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. +Data collected is number of calls of each ITU-T H.225 RAS Message Type, +Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet. +You will also get the number of Open Requests (Unresponded Requests), +Discarded Responses (Responses without matching request) and Duplicate Messages. + +Example: B<-z h225,srt> + +This option can be used multiple times on the command line. + +If the optional I<filter> is provided, the stats will only be calculated +on those calls that match that filter. + +Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will only collect stats for +ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . + =item B<-z> hosts[,ipv4][,ipv6] Dump any collected IPv4 and/or IPv6 addresses in "hosts" format. Both IPv4 @@ -961,29 +1133,52 @@ the total number of bytes transmitted to the client (unidirectionally) at IP add 000.000- 33576 29721685 33576 29721685 870 29004801 ======================================================================================================================= -=item B<-z> conv,I<type>[,I<filter>] +=item B<-z> mac-lte,stat[I<,filter>] -Create a table that lists all conversations that could be seen in the -capture. I<type> specifies the conversation endpoint types for which we -want to generate the statistics; currently the supported ones are: +This option will activate a counter for LTE MAC messages. You will get +information about the maximum number of UEs/TTI, common messages and +various counters for each UE that appears in the log. - "eth" Ethernet addresses - "fc" Fibre Channel addresses - "fddi" FDDI addresses - "ip" IPv4 addresses - "ipv6" IPv6 addresses - "ipx" IPX addresses - "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported - "tr" Token Ring addresses - "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported +Example: B<-z mac-lte,stat>. -If the optional I<filter> is specified, only those packets that match the -filter will be used in the calculations. +This option can be used multiple times on the command line. -The table is presented with one line for each conversation and displays -the number of packets/bytes in each direction as well as the total -number of packets/bytes. The table is sorted according to the total -number of frames. +If the optional I<filter> is provided, the stats will only be calculated +for those frames that match that filter. +Example: B<-z "mac-lte,stat,mac-lte.rnti>3000"> will only collect stats for +UEs with an assigned RNTI whose value is more than 3000. + +=item B<-z> megaco,rtd[I<,filter>] + +Collect requests/response RTD (Response Time Delay) data for MEGACO. +(This is similar to B<-z smb,srt>). Data collected is the number of calls +for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD. +Additionally you get the number of duplicate requests/responses, +unresponded requests, responses, which don't match with any request. +Example: B<-z megaco,rtd>. + +If the optional I<filter> is provided, the stats will only be calculated +on those calls that match that filter. +Example: B<-z "megaco,rtd,ip.addr==1.2.3.4"> will only collect stats for +MEGACO packets exchanged by the host at IP address 1.2.3.4 . + +This option can be used multiple times on the command line. + +=item B<-z> mgcp,rtd[I<,filter>] + +Collect requests/response RTD (Response Time Delay) data for MGCP. +(This is similar to B<-z smb,srt>). Data collected is the number of calls +for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. +Additionally you get the number of duplicate requests/responses, +unresponded requests, responses, which don't match with any request. +Example: B<-z mgcp,rtd>. + +This option can be used multiple times on the command line. + +If the optional I<filter> is provided, the stats will only be calculated +on those calls that match that filter. +Example: B<-z "mgcp,rtd,ip.addr==1.2.3.4"> will only collect stats for +MGCP packets exchanged by the host at IP address 1.2.3.4 . =item B<-z> proto,colinfo,I<filter>,I<field> @@ -1013,48 +1208,27 @@ B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"> This option can be used multiple times on the command line. -=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>] - -This option enables extraction of most important diameter fields from large capture files. -Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed. - -Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code> - -Example: B<-z diameter,avp> extract default field set from diameter messages. - -Example: B<-z diameter,avp,280> extract default field set from diameter DWR messages. - -Example: B<-z diameter,avp,272> extract default field set from diameter CC messages. - -Extract most important fields from diameter CC messages: - -B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code> - -Following fields will be printed out for each diameter message: +=item B<-z> rlc-lte,stat[I<,filter>] - "frame" Frame number. - "time" Unix time of the frame arrival. - "src" Source address. - "srcport" Source port. - "dst" Destination address. - "dstport" Destination port. - "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk. - "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame. - "is_request" '0' if message is a request, '1' if message is an answer. - "cmd" diameter.cmd_code, E.g. '272' for credit control messages. - "req_frame" Number of frame where matched request was found or '0'. - "ans_frame" Number of frame where matched answer was found or '0'. - "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture. +This option will activate a counter for LTE RLC messages. You will get +information about common messages and various counters for each UE that appears +in the log. -B<-z diameter,avp> option is much faster than B<-V -T text> or B<-T pdml> options. +Example: B<-z rlc-lte,stat>. -B<-z diameter,avp> option is more powerful than B<-T field> and B<-z proto,colinfo> options. +This option can be used multiple times on the command line. -Multiple diameter messages in one frame are supported. +If the optional I<filter> is provided, the stats will only be calculated +for those frames that match that filter. +Example: B<-z "rlc-lte,stat,rlc-lte.ueid>3000"> will only collect stats for +UEs with a UEId of more than 3000. -Several fields with same name within one diameter message are supported, e.g. I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>. +=item B<-z> rpc,programs -Note: B<tshark -q> option is recommended to suppress default B<tshark> output. +Collect call/reply SRT data for all known ONC-RPC programs/versions. +Data collected is number of calls for each protocol/version, MinSRT, +MaxSRT and AvgSRT. +This option can only be used once on the command line. =item B<-z> rpc,srt,I<program>,I<version>[,I<filter>] @@ -1071,13 +1245,6 @@ on those calls that match that filter. Example: B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678> will collect NFS v3 SRT statistics for a specific file. -=item B<-z> rpc,programs - -Collect call/reply SRT data for all known ONC-RPC programs/versions. -Data collected is number of calls for each protocol/version, MinSRT, -MaxSRT and AvgSRT. -This option can only be used once on the command line. - =item B<-z> rtp,streams Collect statistics for all RTP streams and calculate max. delta, max. and @@ -1102,29 +1269,20 @@ on those calls that match that filter. Example: B<-z scsi,srt,0,ip.addr==1.2.3.4> will collect SCSI SBC SRT statistics for a specific iscsi/ifcp/fcip host. -=item B<-z> smb,srt[,I<filter>] - -Collect call/reply SRT (Service Response Time) data for SMB. Data collected -is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. +=item B<-z> sip,stat[I<,filter>] -Example: B<-z smb,srt> +This option will activate a counter for SIP messages. You will get the number +of occurrences of each SIP Method and of each SIP Status-Code. Additionally +you also get the number of resent SIP Messages (only for SIP over UDP). -The data will be presented as separate tables for all normal SMB commands, -all Transaction2 commands and all NT Transaction commands. -Only those commands that are seen in the capture will have its stats -displayed. -Only the first command in a xAndX command chain will be used in the -calculation. So for common SessionSetupAndX + TreeConnectAndX chains, -only the SessionSetupAndX call will be used in the statistics. -This is a flaw that might be fixed in the future. +Example: B<-z sip,stat>. This option can be used multiple times on the command line. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. - -Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will only collect stats for -SMB packets exchanged by the host at IP address 1.2.3.4 . +Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will only collect stats for +SIP packets exchanged by the host at IP address 1.2.3.4 . =item B<-z> smb,sids @@ -1140,187 +1298,29 @@ S<B<-o "smb.sid_name_snooping:TRUE">> on the B<TShark> command line. The current method used by B<TShark> to find the SID->name mapping is relatively restricted with a hope of future expansion. -=item B<-z> mgcp,rtd[I<,filter>] - -Collect requests/response RTD (Response Time Delay) data for MGCP. -(This is similar to B<-z smb,srt>). Data collected is the number of calls -for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. -Additionally you get the number of duplicate requests/responses, -unresponded requests, responses, which don't match with any request. -Example: B<-z mgcp,rtd>. - -This option can be used multiple times on the command line. - -If the optional I<filter> is provided, the stats will only be calculated -on those calls that match that filter. -Example: B<-z "mgcp,rtd,ip.addr==1.2.3.4"> will only collect stats for -MGCP packets exchanged by the host at IP address 1.2.3.4 . - -=item B<-z> megaco,rtd[I<,filter>] - -Collect requests/response RTD (Response Time Delay) data for MEGACO. -(This is similar to B<-z smb,srt>). Data collected is the number of calls -for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD. -Additionally you get the number of duplicate requests/responses, -unresponded requests, responses, which don't match with any request. -Example: B<-z megaco,rtd>. - -If the optional I<filter> is provided, the stats will only be calculated -on those calls that match that filter. -Example: B<-z "megaco,rtd,ip.addr==1.2.3.4"> will only collect stats for -MEGACO packets exchanged by the host at IP address 1.2.3.4 . - -This option can be used multiple times on the command line. - -=item B<-z> h225,counter[I<,filter>] - -Count ITU-T H.225 messages and their reasons. In the first column you get a -list of H.225 messages and H.225 message reasons, which occur in the current -capture file. The number of occurrences of each message or reason is displayed -in the second column. - -Example: B<-z h225,counter>. - -If the optional I<filter> is provided, the stats will only be calculated -on those calls that match that filter. -Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for -H.225 packets exchanged by the host at IP address 1.2.3.4 . - -This option can be used multiple times on the command line. - -=item B<-z> h225,srt[I<,filter>] - -Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. -Data collected is number of calls of each ITU-T H.225 RAS Message Type, -Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet. -You will also get the number of Open Requests (Unresponded Requests), -Discarded Responses (Responses without matching request) and Duplicate Messages. - -Example: B<-z h225,srt> - -This option can be used multiple times on the command line. - -If the optional I<filter> is provided, the stats will only be calculated -on those calls that match that filter. - -Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will only collect stats for -ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . - -=item B<-z> sip,stat[I<,filter>] - -This option will activate a counter for SIP messages. You will get the number -of occurrences of each SIP Method and of each SIP Status-Code. Additionally -you also get the number of resent SIP Messages (only for SIP over UDP). - -Example: B<-z sip,stat>. - -This option can be used multiple times on the command line. - -If the optional I<filter> is provided, the stats will only be calculated -on those calls that match that filter. -Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will only collect stats for -SIP packets exchanged by the host at IP address 1.2.3.4 . - -=item B<-z> mac-lte,stat[I<,filter>] - -This option will activate a counter for LTE MAC messages. You will get -information about the maximum number of UEs/TTI, common messages and -various counters for each UE that appears in the log. - -Example: B<-z mac-lte,stat>. - -This option can be used multiple times on the command line. - -If the optional I<filter> is provided, the stats will only be calculated -for those frames that match that filter. -Example: B<-z "mac-lte,stat,mac-lte.rnti>3000"> will only collect stats for -UEs with an assigned RNTI whose value is more than 3000. - -=item B<-z> rlc-lte,stat[I<,filter>] - -This option will activate a counter for LTE RLC messages. You will get -information about common messages and various counters for each UE that appears -in the log. - -Example: B<-z rlc-lte,stat>. - -This option can be used multiple times on the command line. - -If the optional I<filter> is provided, the stats will only be calculated -for those frames that match that filter. -Example: B<-z "rlc-lte,stat,rlc-lte.ueid>3000"> will only collect stats for -UEs with a UEId of more than 3000. +=item B<-z> smb,srt[,I<filter>] -=item B<-z> expert[I<,error|,warn|,note|,chat>][I<,filter>] +Collect call/reply SRT (Service Response Time) data for SMB. Data collected +is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT. -Collects information about all expert info, and will display them in order, -grouped by severity. +Example: B<-z smb,srt> -Example: B<-z expert,sip> will show expert items of all severity for frames that -match the sip protocol. +The data will be presented as separate tables for all normal SMB commands, +all Transaction2 commands and all NT Transaction commands. +Only those commands that are seen in the capture will have its stats +displayed. +Only the first command in a xAndX command chain will be used in the +calculation. So for common SessionSetupAndX + TreeConnectAndX chains, +only the SessionSetupAndX call will be used in the statistics. +This is a flaw that might be fixed in the future. This option can be used multiple times on the command line. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. -Example: B<-z "expert,note,tcp"> will only collect expert items for frames that -include the tcp protocol, with a severity of note or higher. - -=item B<-z> follow,I<prot>,I<mode>,I<filter>[I<,range>] - -Displays the contents of a TCP or UDP stream between two nodes. The data -sent by the second node is prefixed with a tab to differentiate it from the -data sent by the first node. - -I<prot> specifies the transport protocol. It can be one of: - B<tcp> TCP - B<udp> UDP - -I<mode> specifies the output mode. It can be one of: - B<ascii> ASCII output with dots for non-printable characters - B<hex> Hexadecimal and ASCII data with offsets - B<raw> Hexadecimal data - -Since the output in B<ascii> mode may contain newlines, the length of each section -of output plus a newline precedes each section of output. - -I<filter> specifies the stream to be displayed. UDP streams are selected with -IP address plus port pairs. TCP streams are selected with either the stream -index or IP address plus port pairs. For example: - B<ip-addr0>:B<port0>,B<ip-addr1>:B<port1> - B<tcp-stream-index> - -I<range> optionally specifies which "chunks" of the stream should be displayed. - -Example: B<-z "follow,tcp,hex,1"> will display the contents of the first TCP -stream in "hex" format. - - =================================================================== - Follow: tcp,hex - Filter: tcp.stream eq 1 - Node 0: 200.57.7.197:32891 - Node 1: 200.57.7.198:2906 - 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........ - 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........ - 00000020 1f 00 06 04 00 00 ...... - 00000000 00 01 00 00 .... - 00000026 00 02 00 00 - -Example: B<-z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"> will -display the contents of a TCP stream between 200.57.7.197 port 32891 and -200.57.7.98 port 2906. - - =================================================================== - Follow: tcp,ascii - Filter: (ommitted for readability) - Node 0: 200.57.7.197:32891 - Node 1: 200.57.7.198:2906 - 38 - ..."..... - ................ - 4 - .... +Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will only collect stats for +SMB packets exchanged by the host at IP address 1.2.3.4 . =back |