diff options
Diffstat (limited to 'docbook/wsug_src/WSUG_chapter_statistics.xml')
| -rw-r--r-- | docbook/wsug_src/WSUG_chapter_statistics.xml | 508 |
1 files changed, 508 insertions, 0 deletions
diff --git a/docbook/wsug_src/WSUG_chapter_statistics.xml b/docbook/wsug_src/WSUG_chapter_statistics.xml new file mode 100644 index 0000000000..e6f72e7386 --- /dev/null +++ b/docbook/wsug_src/WSUG_chapter_statistics.xml @@ -0,0 +1,508 @@ +<!-- WSUG Chapter Statistics --> +<!-- $Id$ --> + +<chapter id="ChStatistics"> + <title>Statistics</title> + <section id="ChStatIntroduction"> + <title>Introduction</title> + <para> + Ethereal provides a wide range of network statistics. + </para> + <para> + These statistics range + from general information about the loaded capture file (like the number of + captured packets), to statistics about specific protocols + (e.g. statistics about the number of HTTP requests and responses captured). + <itemizedlist> + <listitem> + <para> + General statistics: + </para> + <itemizedlist> + <listitem> + <para><command>Summary</command> about the capture file.</para> + </listitem> + <listitem> + <para><command>Protocol Hierarchy</command> of the captured packets.</para> + </listitem> + <listitem> + <para><command>Endpoints</command> e.g. traffic to and from an IP + addresses.</para> + </listitem> + <listitem> + <para><command>Conversations</command> e.g. traffic between specific IP + addresses.</para> + </listitem> + <listitem> + <para><command>IO Graphs</command> visualizing the number of packets (or + similar) in time.</para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Protocol specific statistics: + </para> + <itemizedlist> + <listitem> + <para><command>Service Response Time</command> between request and response + of some protocols.</para> + </listitem> + <listitem> + <para><command>Various other</command> protocol specific statistics.</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + <note><title>Note!</title> + <para> + The protocol specific statistics requires detailed knowledge about the + specific protocol. Unless you are familiar with that protocol, statistics + about it will be pretty hard to understand. + </para> + </note> + </para> + </section> + + <section id="ChStatSummary"> + <title>The "Summary" window</title> + <para> + General statistics about the current capture file. + </para> + <figure><title>The "Summary" window</title> + <graphic entityref="EtherealStatsSummary" format="PNG"/> + </figure> + <itemizedlist> + <listitem> + <para><command>File</command> general information about the capture file. + </para> + </listitem> + <listitem> + <para><command>Time</command> the timestamps when the first and the + last packet were capturing (and the time between them).</para> + </listitem> + <listitem> + <para><command>Capture</command> information from the time when the + capture was done (only available if the packet data was captured from the + network and not loaded from a file).</para> + </listitem> + <listitem> + <para><command>Display</command> some display related information.</para> + </listitem> + <listitem> + <para> + <command>Traffic</command> some statistics of the network traffic seen. + If a display filter is set, you will see values in both columns. The + values in the <command>Captured</command> column will remain the same as + before, while the values in the <command>Displayed</command> column will + reflect the values corresponding to the packets shown in the display. + </para> + </listitem> + </itemizedlist> + </section> + + <section id="ChStatHierarchy"> + <title>The "Protocol Hierarchy" window</title> + <para> + The protocol hierarchy of the captured packets. + <figure><title>The "Protocol Hierarchy" window</title> + <graphic entityref="EtherealStatsHierarchy" format="PNG"/> + </figure> + This is a tree of all the protocols in the capture. You can collapse or + expand subtrees, by clicking on the plus / minus icons. By default, all + trees are expanded. + </para> + <para> + Each row contains the statistical values of one protocol. + </para> + <para> + The following columns containing the statistical values are available: + <itemizedlist> + <listitem> + <para><command>Protocol</command> this protocol's name</para> + </listitem> + <listitem> + <para><command>% Packets</command> the percentage of protocol packets, + relative to all packets in the capture</para> + </listitem> + <listitem> + <para><command>Packets</command> the absolute number of packets of this + protocol</para> + </listitem> + <listitem> + <para><command>Bytes</command> the absolute number of bytes of this + protocol</para> + </listitem> + <listitem> + <para><command>MBit/s</command> the bandwidth of this protocol, relative + to the capture time</para> + </listitem> + <listitem> + <para> + <command>End Packets</command> the absolute number of packets of this + protocol (where this protocol were the highest protocol to decode) + </para> + </listitem> + <listitem> + <para> + <command>End Bytes</command> the absolute number of bytes of this protocol + (where this protocol were the highest protocol to decode) + </para> + </listitem> + <listitem> + <para> + <command>End MBit/s</command> the bandwidth of this protocol, relative to + the capture time (where this protocol were the highest protocol to decode) + </para> + </listitem> + </itemizedlist> + </para> + <note><title>Note!</title> + <para> + Packets will usually contain multiple protocols, so more than one protocol + will be counted for each packet. + Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together + much more than 100%). + </para> + </note> + <note><title>Note!</title> + <para> + A single packet can contain the same protocol more than once. In this case, + the protocol is counted more than once. For example: in some tunneling + configurations the IP layer can appear twice. + </para> + </note> + </section> + + <section id="ChStatEndpoints"> + <title>Endpoints</title> + <para> + Statistics of the endpoints captured. + <tip><title>Tip!</title> + <para> + If you are looking for a feature other network tools call a <command> + hostlist</command>, here is the right place to look. The list of + Ethernet or IP endpoints is usually what you're looking for. + </para> + </tip> + </para> + <section id="ChStatEndpointDefinition"><title>What is an Endpoint?</title> + <para> + A network endpoint is the logical endpoint of separate protocol traffic of + a specific protocol layer. The endpoint statistics of Ethereal will take + the following endpoints into account: + </para> + <itemizedlist> + <listitem> + <para> + <command>Ethernet</command> an Ethernet endpoint is identical to the + Ethernet's MAC address. + </para> + </listitem> + <listitem> + <para> + <command>Fibre Channel</command> XXX - insert info here. + </para> + </listitem> + <listitem> + <para> + <command>FDDI</command> a FDDI endpoint is identical to the FDDI MAC + address. + </para> + </listitem> + <listitem> + <para> + <command>IPv4</command> an IP endpoint is identical to its IP address. + </para> + </listitem> + <listitem> + <para> + <command>IPX</command> XXX - insert info here. + </para> + </listitem> + <listitem> + <para> + <command>TCP</command> a TCP endpoint is a combination of the IP address + and the TCP port used, so different TCP ports on the same IP address are + different TCP endpoints. + </para> + </listitem> + <listitem> + <para> + <command>Token Ring</command> a Token Ring endpoint is identical to the + Token Ring MAC address. + </para> + </listitem> + <listitem> + <para> + <command>UDP</command> a UDP endpoint is a combination of the IP address + and the UDP port used, so different UDP ports on the same IP address are + different UDP endpoints. + </para> + </listitem> + </itemizedlist> + <note><title>Broadcast / multicast endpoints</title> + <para> + Broadcast / multicast traffic will be shown separately as additional + endpoints. Of course, as these endpoints are virtual endpoints, the real + traffic will be received by all (multicast: some) of the listed unicast + endpoints. + </para> + </note> + </section> + <section id="ChStatEndpointsWindow"> + <title>The "Endpoints" window</title> + <para> + This window shows statistics about the endpoints captured. + </para> + <figure><title>The "Endpoints" window</title> + <graphic entityref="EtherealStatsEndpoints" format="PNG"/> + </figure> + <para> + For each supported protocol, a tab is shown in this window. + The tab labels shows the number of endpoints captured (e.g. the + tab label "Ethernet: 5" tells you that five ethernet endpoints have been + captured). If no endpoints of a specific protocol were captured, the tab + label will be + grayed out (although the related page can still be selected). + </para> + <para> + Each row in the list shows the statistical values for exactly one endpoint. + </para> + <para> + <command>Name resolution</command> will be done if selected in the window + and if it is active for the specific protocol layer (MAC layer for the + selected Ethernet endpoints page). As you might have noticed, the first + row has a name + resolution of the first three bytes "Netgear", the second row's address was + resolved to an IP address (using ARP) and the third was resolved + to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff), the last two + Ethernet addresses remain unresolved. + </para> + <tip><title>Tip!</title> + <para> + This window will be updated frequently, so it will be useful, even if + you open it before (or while) you are doing a live capture. + </para> + </tip> + </section> + <section id="ChStatEndpointListWindow"> + <title>The protocol specific "Endpoint List" windows</title> + <para> + Before the combined window described above was available, each of its + pages were shown as separate windows. Even though the combined window is + much more convenient to use, these separate windows are still + available. The main reason is, they might process faster for + very large capture files. However, as the functionality is exactly the + same as in the combined window, they won't be discussed in detail here. + </para> + </section> + </section> + + <section id="ChStatConversations"> + <title>Conversations</title> + <para> + Statistics of the captured conversations. + </para> + <section><title>What is a Conversation?</title> + <para> + A network conversation is the traffic between two specific endpoints. For + example, an IP conversation is all the traffic between two IP addresses. + The description of the known endpoint types can be found in + <xref linkend="ChStatEndpointDefinition"/>. + </para> + </section> + <section id="ChStatConversationsWindow"><title>The "Conversations" window</title> + <para> + Beside the list content, the conversations window work the same way as the + endpoint ones, see <xref linkend="ChStatEndpointsWindow"/> for a + description how it works. + <figure><title>The "Conversations" window</title> + <graphic entityref="EtherealStatsConversations" format="PNG"/> + </figure> + </para> + </section> + <section id="ChStatConversationListWindow"> + <title>The protocol specific "Conversation List" windows</title> + <para> + Before the combined window described above was available, each of its + pages were shown as separate windows. Even though the combined window is + much more convenient to use, these separate windows are still + available. The main reason is, they might process faster for + very large capture files. However, as the functionality is exactly the + same as in the combined window, they won't be discussed in detail here. + </para> + </section> + </section> + + <section id="ChStatIOGraphs"> + <title>The "IO Graphs" window</title> + <para> + User configurable graph of the captured network packets. + </para> + <para> + You can define up to five differently colored graphs. + </para> + + <figure><title>The "IO Graphs" window</title> + <graphic entityref="EtherealStatsIOGraphs" format="PNG"/> + </figure> + + <para> + The user can configure the following things: + <itemizedlist> + <listitem> + <para><command>Graphs</command> + <itemizedlist> + <listitem> + <para> + <command>Graph 1-5</command> enable the graph 1-5 (only graph 1 is enabled + by default) + </para> + </listitem> + <listitem> + <para> + <command>Color</command> the color of the graph (cannot be changed) + </para> + </listitem> + <listitem> + <para> + <command>Filter:</command> a display filter for this graph (only the + packets that pass this filter will be taken into account for that graph) + </para> + </listitem> + <listitem> + <para> + <command>Style:</command> the style of the graph (Line/Impulse/FBar) + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + + <listitem> + <para><command>X Axis</command> + <itemizedlist> + <listitem> + <para> + <command>Tick interval</command> an interval in x direction lasts + (10/1/0.1/0.01/0.001 seconds) + </para> + </listitem> + <listitem> + <para> + <command>Pixels per tick</command> use 10/5/2/1 pixels per tick interval + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + + <listitem> + <para><command>Y Axis</command> + <itemizedlist> + <listitem> + <para> + <command>Unit</command> the unit for the y direction (Packets/Tick, + Bytes/Tick, Advanced...) + </para> + </listitem> + <listitem> + <para> + <command>Scale</command> the scale for the y unit + (10,20,50,100,200,500,...) + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + + </itemizedlist> + XXX - describe the Advanced feature. + </para> + </section> + + <section id="ChStatSRT"> + <title>Service Response Time</title> + <para> + The service response time is the time between a request and the + corresponding response. This information is available for many protocols. + </para> + <para> + Service response time statistics are currently available for the following + protocols: + <itemizedlist> + <listitem> + <para><command>DCE-RPC</command></para> + </listitem> + <listitem> + <para><command>Fibre Channel</command></para> + </listitem> + <listitem> + <para><command>H.225 RAS</command></para> + </listitem> + <listitem> + <para><command>LDAP</command></para> + </listitem> + <listitem> + <para><command>MGCP</command></para> + </listitem> + <listitem> + <para><command>ONC-RPC</command></para> + </listitem> + <listitem> + <para><command>SMB</command></para> + </listitem> + </itemizedlist> + As an example, the DCE-RPC service response time is described in more + detail. + <note><title>Note!</title> + <para> + The other Service Response Time windows will work the same way (or only + slightly different) compared to the following description. + </para> + </note> + </para> + <section id="ChStatSRTDceRpc"> + <title>The "Service Response Time DCE-RPC" window</title> + <para> + The service response time of DCE-RPC is the time between the request and + the corresponding response. + </para> + <para> + First of all, you have to select the DCE-RPC interface: + </para> + <figure><title>The "Compute DCE-RPC statistics" window</title> + <graphic entityref="EtherealStatsSrtDcerpcFilter" format="PNG"/> + </figure> + <para> + You can optionally set a display filter, to reduce the amount of packets. + </para> + <figure><title>The "DCE-RPC Statistic for ..." window</title> + <graphic entityref="EtherealStatsSrtDcerpc" format="PNG"/> + </figure> + <para> + Each row corresponds to a method of the interface selected (so the EPM + interface in version 3 has 7 methods). For each + method the number of calls, and the statistics of the SRT time is + calculated. + </para> + </section> + </section> + + <section id="ChStatXXX"> + <title>The protocol specific statistics windows</title> + <para> + The protocol specific statistics windows display detailed information + of specific protocols and might be described in a later + version of this document. + </para> + <para> + Some of these statistics are described at the + <ulink url="http://wiki.ethereal.com/Statistics"/> pages. + </para> + </section> + +</chapter> +<!-- End of WSUG Chapter Statistics --> + |