1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
|
<!-- WSUG Chapter Statistics -->
<chapter id="ChStatistics">
<title>Statistics</title>
<section id="ChStatIntroduction">
<title>Introduction</title>
<para>
Wireshark provides a wide range of network statistics which can be accessed via the
<command>Statistics</command> menu.
</para>
<para>
These statistics range from general information about the loaded capture file
(like the number of captured packets), to statistics about specific protocols
(e.g. statistics about the number of HTTP requests and responses captured).
<itemizedlist>
<listitem>
<para>
General statistics:
</para>
<itemizedlist>
<listitem>
<para><command>Summary</command> about the capture file.</para>
</listitem>
<listitem>
<para><command>Protocol Hierarchy</command> of the captured packets.</para>
</listitem>
<listitem>
<para><command>Conversations</command> e.g. traffic between specific IP
addresses.</para>
</listitem>
<listitem>
<para><command>Endpoints</command> e.g. traffic to and from an IP
addresses.</para>
</listitem>
<listitem>
<para><command>IO Graphs</command> visualizing the number of packets (or
similar) in time.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Protocol specific statistics:
</para>
<itemizedlist>
<listitem>
<para><command>Service Response Time</command> between request and response
of some protocols.</para>
</listitem>
<listitem>
<para><command>Various other</command> protocol specific statistics.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<note><title>Note!</title>
<para>
The protocol specific statistics requires detailed knowledge about the
specific protocol. Unless you are familiar with that protocol, statistics
about it will be pretty hard to understand.
</para>
</note>
</para>
</section>
<section id="ChStatSummary">
<title>The "Summary" window</title>
<para>
General statistics about the current capture file.
</para>
<figure><title>The "Summary" window</title>
<graphic entityref="WiresharkStatsSummary" format="PNG"/>
</figure>
<itemizedlist>
<listitem>
<para><command>File</command>: general information about the capture file.
</para>
</listitem>
<listitem>
<para><command>Time</command>: the timestamps when the first and the
last packet were captured (and the time between them).</para>
</listitem>
<listitem>
<para><command>Capture</command>: information from the time when the
capture was done (only available if the packet data was captured from the
network and not loaded from a file).</para>
</listitem>
<listitem>
<para><command>Display</command>: some display related information.</para>
</listitem>
<listitem>
<para>
<command>Traffic</command>: some statistics of the network traffic seen.
If a display filter is set, you will see values in the Captured column,
and if any packages are marked, you will see values in the Marked column.
The values in the <command>Captured</command> column will remain the same as
before, while the values in the <command>Displayed</command> column will
reflect the values corresponding to the packets shown in the display.
The values in the <command>Marked</command> column will reflect the values
corresponding to the marked packages.
</para>
</listitem>
</itemizedlist>
</section>
<section id="ChStatHierarchy">
<title>The "Protocol Hierarchy" window</title>
<para>
The protocol hierarchy of the captured packets.
<figure><title>The "Protocol Hierarchy" window</title>
<graphic entityref="WiresharkStatsHierarchy" format="PNG"/>
</figure>
This is a tree of all the protocols in the capture. You can collapse or
expand subtrees, by clicking on the plus / minus icons. By default, all
trees are expanded.
</para>
<para>
Each row contains the statistical values of one protocol.
The <command>Display filter</command> will show the current display filter.
</para>
<para>
The following columns containing the statistical values are available:
<itemizedlist>
<listitem>
<para><command>Protocol</command>: this protocol's name</para>
</listitem>
<listitem>
<para><command>% Packets</command>: the percentage of protocol packets,
relative to all packets in the capture</para>
</listitem>
<listitem>
<para><command>Packets</command>: the absolute number of packets of this
protocol</para>
</listitem>
<listitem>
<para><command>Bytes</command>: the absolute number of bytes of this
protocol</para>
</listitem>
<listitem>
<para><command>MBit/s</command>: the bandwidth of this protocol, relative
to the capture time</para>
</listitem>
<listitem>
<para>
<command>End Packets</command>: the absolute number of packets of this
protocol (where this protocol was the highest protocol to decode)
</para>
</listitem>
<listitem>
<para>
<command>End Bytes</command>: the absolute number of bytes of this protocol
(where this protocol was the highest protocol to decode)
</para>
</listitem>
<listitem>
<para>
<command>End MBit/s</command>: the bandwidth of this protocol, relative to
the capture time (where this protocol was the highest protocol to decode)
</para>
</listitem>
</itemizedlist>
</para>
<note><title>Note!</title>
<para>
Packets will usually contain multiple protocols, so more than one protocol
will be counted for each packet.
Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together
much more than 100%).
</para>
</note>
<note><title>Note!</title>
<para>
Protocol layers can consist of packets that won't contain any higher layer
protocol, so the sum of all higher layer packets may not sum up to the
protocols packet count.
Example: In the screenshot TCP has 85,83% but the sum of the subprotocols
(HTTP, ...) is much less. This may be caused by TCP protocol overhead,
e.g. TCP ACK packets won't be counted as packets of the higher layer).
</para>
</note>
<note><title>Note!</title>
<para>
A single packet can contain the same protocol more than once. In this case,
the protocol is counted more than once. For example: in some tunneling
configurations the IP layer can appear twice.
</para>
</note>
</section>
<section id="ChStatConversations">
<title>Conversations</title>
<para>
Statistics of the captured conversations.
</para>
<section>
<title>What is a Conversation?</title>
<para>
A network conversation is the traffic between two specific endpoints. For
example, an IP conversation is all the traffic between two IP addresses.
The description of the known endpoint types can be found in
<xref linkend="ChStatEndpointDefinition"/>.
</para>
</section>
<section id="ChStatConversationsWindow"><title>The "Conversations" window</title>
<para>
The conversations window is similar to the
endpoint Window; see <xref linkend="ChStatEndpointsWindow"/> for a
description of their common features. Along with addresses, packet
counters, and byte counters the conversation window adds four columns: the time in seconds between the start of the capture and the start of the conversation ("Rel Start"), the duration of the conversation in seconds, and the average bits (not bytes) per second in each direction.
<figure><title>The "Conversations" window</title>
<graphic entityref="WiresharkStatsConversations" format="PNG"/>
</figure>
</para>
<para>
Each row in the list shows the statistical values for exactly one conversation.
</para>
<para>
<command>Name resolution</command> will be done if selected in the window
and if it is active for the specific protocol layer (MAC layer for the
selected Ethernet endpoints page).
</para>
<para>
<command>Limit to display filter</command> will only show conversations matching
the current display filter.
</para>
<para>
The <command>copy</command> button will copy the list values to the
clipboard in CSV (Comma Separated Values) format.
</para>
<tip><title>Tip!</title>
<para>
This window will be updated frequently, so it will be useful, even if
you open it before (or while) you are doing a live capture.
</para>
</tip>
</section>
<section id="ChStatConversationListWindow">
<title>The protocol specific "Conversation List" windows</title>
<para>
Before the combined window described above was available, each of its
pages was shown as a separate window. Even though the combined window is
much more convenient to use, these separate windows are still
available. The main reason is that they might process faster for
very large capture files. However, as the functionality is exactly the
same as in the combined window, they won't be discussed in detail here.
</para>
</section>
</section>
<section id="ChStatEndpoints">
<title>Endpoints</title>
<para>
Statistics of the endpoints captured.
<tip><title>Tip!</title>
<para>
If you are looking for a feature other network tools call a <command>
hostlist</command>, here is the right place to look. The list of
Ethernet or IP endpoints is usually what you're looking for.
</para>
</tip>
</para>
<section id="ChStatEndpointDefinition"><title>What is an Endpoint?</title>
<para>
A network endpoint is the logical endpoint of separate protocol traffic of
a specific protocol layer. The endpoint statistics of Wireshark will take
the following endpoints into account:
</para>
<itemizedlist>
<listitem>
<para>
<command>Ethernet</command>: an Ethernet endpoint is identical to the
Ethernet's MAC address.
</para>
</listitem>
<listitem>
<para>
<command>Fibre Channel</command>: XXX - insert info here.
</para>
</listitem>
<listitem>
<para>
<command>FDDI</command>: a FDDI endpoint is identical to the FDDI MAC
address.
</para>
</listitem>
<listitem>
<para>
<command>IPv4</command>: an IP endpoint is identical to its IP address.
</para>
</listitem>
<listitem>
<para>
<command>IPX</command>: an IPX endpoint is concatenation of a 32 bit
network number and 48 bit node address, be default the Ethernets' MAC
address.
</para>
</listitem>
<listitem>
<para>
<command>JXTA</command>: a JXTA endpoint is a 160 bit SHA-1 URN.
</para>
</listitem>
<listitem>
<para>
<command>NCP</command>: XXX - insert info here.
</para>
</listitem>
<listitem>
<para>
<command>RSVP</command>: XXX - insert info here.
</para>
</listitem>
<listitem>
<para>
<command>SCTP</command>: a SCTP endpoint is a combination of the host IP
addresses (plural) and the SCTP port used. So different SCTP ports on the
same IP address are different SCTP endpoints, but the same SCTP port on
different IP addresses of the same host are still the same endpoint.
</para>
</listitem>
<listitem>
<para>
<command>TCP</command>: a TCP endpoint is a combination of the IP address
and the TCP port used, so different TCP ports on the same IP address are
different TCP endpoints.
</para>
</listitem>
<listitem>
<para>
<command>Token Ring</command>: a Token Ring endpoint is identical to the
Token Ring MAC address.
</para>
</listitem>
<listitem>
<para>
<command>UDP</command>: a UDP endpoint is a combination of the IP address
and the UDP port used, so different UDP ports on the same IP address are
different UDP endpoints.
</para>
</listitem>
<listitem>
<para>
<command>USB</command>: XXX - insert info here.
</para>
</listitem>
<listitem>
<para>
<command>WLAN</command>: XXX - insert info here.
</para>
</listitem>
</itemizedlist>
<note><title>Broadcast / multicast endpoints</title>
<para>
Broadcast / multicast traffic will be shown separately as additional
endpoints. Of course, as these endpoints are virtual endpoints, the real
traffic will be received by all (multicast: some) of the listed unicast
endpoints.
</para>
</note>
</section>
<section id="ChStatEndpointsWindow">
<title>The "Endpoints" window</title>
<para>
This window shows statistics about the endpoints captured.
</para>
<figure><title>The "Endpoints" window</title>
<graphic entityref="WiresharkStatsEndpoints" format="PNG"/>
</figure>
<para>
For each supported protocol, a tab is shown in this window.
Each tab label shows the number of endpoints captured (e.g. the
tab label "Ethernet: 5" tells you that five ethernet endpoints have been
captured). If no endpoints of a specific protocol were captured, the tab
label will be greyed out (although the related page can still be selected).
</para>
<para>
Each row in the list shows the statistical values for exactly one endpoint.
</para>
<para>
<command>Name resolution</command> will be done if selected in the window
and if it is active for the specific protocol layer (MAC layer for the
selected Ethernet endpoints page). As you might have noticed, the first
row has a name
resolution of the first three bytes "Netgear", the second row's address was
resolved to an IP address (using ARP) and the third was resolved
to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff); the last two
Ethernet addresses remain unresolved.
</para>
<para>
<command>Limit to display filter</command> will only show conversations matching
the current display filter.
</para>
<para>
The <command>copy</command> button will copy the list values to the
clipboard in CSV (Comma Separated Values) format.
</para>
<tip><title>Tip!</title>
<para>
This window will be updated frequently, so it will be useful, even if
you open it before (or while) you are doing a live capture.
</para>
</tip>
</section>
<section id="ChStatEndpointListWindow">
<title>The protocol specific "Endpoint List" windows</title>
<para>
Before the combined window described above was available, each of its
pages was shown as a separate window. Even though the combined window is
much more convenient to use, these separate windows are still
available. The main reason is that they might process faster for
very large capture files. However, as the functionality is exactly the
same as in the combined window, they won't be discussed in detail here.
</para>
</section>
</section>
<section id="ChStatIOGraphs">
<title>The "IO Graphs" window</title>
<para>
User configurable graph of the captured network packets.
</para>
<para>
You can define up to five differently colored graphs.
</para>
<figure><title>The "IO Graphs" window</title>
<graphic entityref="WiresharkStatsIOGraphs" format="PNG"/>
</figure>
<para>
The user can configure the following things:
<itemizedlist>
<listitem>
<para><command>Graphs</command>
<itemizedlist>
<listitem>
<para>
<command>Graph 1-5</command>: enable the specific graph 1-5 (only graph 1 is enabled
by default)
</para>
</listitem>
<listitem>
<para>
<command>Color</command>: the color of the graph (cannot be changed)
</para>
</listitem>
<listitem>
<para>
<command>Filter</command>: a display filter for this graph (only the
packets that pass this filter will be taken into account for this graph)
</para>
</listitem>
<listitem>
<para>
<command>Style</command>: the style of the graph (Line/Impulse/FBar/Dot)
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para><command>X Axis</command>
<itemizedlist>
<listitem>
<para>
<command>Tick interval</command>: an interval in x direction lasts
(10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
</para>
</listitem>
<listitem>
<para>
<command>Pixels per tick</command>: use 10/5/2/1 pixels per tick interval
</para>
</listitem>
<listitem>
<para>
<command>View as time of day</command>: option to view x direction labels
as time of day instead of seconds or minutes since beginning of capture
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para><command>Y Axis</command>
<itemizedlist>
<listitem>
<para>
<command>Unit</command>: the unit for the y direction (Packets/Tick,
Bytes/Tick, Bits/Tick, Advanced...) [XXX - describe the Advanced feature.]
</para>
</listitem>
<listitem>
<para>
<command>Scale</command>: the scale for the y unit
(Logarithmic,Auto,10,20,50,100,200,500,...)
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</itemizedlist>
</para>
<para>
The <command>save</command> button will save the currently displayed
portion of the graph as one of various file formats.
</para>
<para>
The <command>copy</command> button will copy values from selected
graphs to the clipboard in CSV (Comma Separated Values) format.
</para>
<tip><title>Tip!</title>
<para>
Click in the graph to select the first package in the selected interval.
</para>
</tip>
</section>
<section id="ChStatSRT">
<title>Service Response Time</title>
<para>
The service response time is the time between a request and the
corresponding response. This information is available for many protocols.
</para>
<para>
Service response time statistics are currently available for the following
protocols:
<itemizedlist>
<listitem>
<para><command>DCE-RPC</command></para>
</listitem>
<listitem>
<para><command>Fibre Channel</command></para>
</listitem>
<listitem>
<para><command>H.225 RAS</command></para>
</listitem>
<listitem>
<para><command>LDAP</command></para>
</listitem>
<listitem>
<para><command>LTE MAC</command></para>
</listitem>
<listitem>
<para><command>MGCP</command></para>
</listitem>
<listitem>
<para><command>ONC-RPC</command></para>
</listitem>
<listitem>
<para><command>SMB</command></para>
</listitem>
</itemizedlist>
As an example, the DCE-RPC service response time is described in more
detail.
<note><title>Note!</title>
<para>
The other Service Response Time windows will work the same way (or only
slightly different) compared to the following description.
</para>
</note>
</para>
<section id="ChStatSRTDceRpc">
<title>The "Service Response Time DCE-RPC" window</title>
<para>
The service response time of DCE-RPC is the time between the request and
the corresponding response.
</para>
<para>
First of all, you have to select the DCE-RPC interface:
</para>
<figure><title>The "Compute DCE-RPC statistics" window</title>
<graphic entityref="WiresharkStatsSrtDcerpcFilter" format="PNG"/>
</figure>
<para>
You can optionally set a display filter, to reduce the amount of packets.
</para>
<figure><title>The "DCE-RPC Statistic for ..." window</title>
<graphic entityref="WiresharkStatsSrtDcerpc" format="PNG"/>
</figure>
<para>
Each row corresponds to a method of the interface selected (so the EPM
interface in version 3 has 7 methods). For each
method the number of calls, and the statistics of the SRT time is
calculated.
</para>
</section>
</section>
<section id="ChStatCompareCaptureFiles">
<title>Compare two capture files</title>
<para>
Compare two capture files.
</para>
<para>
This feature works best when you have merged two capture files
chronologically, one from each side of a client/server connection.
</para>
<para>
The merged capture data is checked for missing packets. If a matching
connection is found it is checked for:
<itemizedlist>
<listitem>
<para>
IP header checksums
</para>
</listitem>
<listitem>
<para>
Excessive delay (defined by the "Time variance" setting)
</para>
</listitem>
<listitem>
<para>
Packet order
</para>
</listitem>
</itemizedlist>
</para>
<figure><title>The "Compare" window</title>
<graphic entityref="WiresharkStatsCompare" format="PNG"/>
</figure>
<para>
You can configure the following:
<itemizedlist>
<listitem>
<para>
<command>Start compare:</command> Start comparing when this many
IP IDs are matched. A zero value starts comparing immediately.
</para>
</listitem>
<listitem>
<para>
<command>Stop compare:</command> Stop comparing when we can no longer
match this many IP IDs. Zero always compares.
</para>
</listitem>
<listitem>
<para>
<command>Endpoint distinction:</command> Use MAC addresses or IP
time-to-live values to determine connection endpoints.
</para>
</listitem>
<listitem>
<para>
<command>Check order:</command> Check for the same IP ID in the
previous packet at each end.
</para>
</listitem>
<listitem>
<para>
<command>Time variance:</command> Trigger an error if the packet
arrives this many milliseconds after the average delay.
</para>
</listitem>
<listitem>
<para>
<command>Filter:</command> Limit comparison to packets that match
this display filter.
</para>
</listitem>
</itemizedlist>
</para>
<para>
The info column contains new numbering so the same packets are parallel.
</para>
<para>
The color filtering differentiate the two files from each other. A
“zebra” effect is create if the Info column is sorted.
</para>
<tip><title>Tip!</title>
<para>
If you click on an item in the error list its corresponding packet will
be selected in the main window.
</para>
</tip>
</section>
<section id="ChStatWLANTraffic">
<title>WLAN Traffic Statistics</title>
<para>
Statistics of the captured WLAN traffic. This window will summarize the
wireless network traffic found in the capture. Probe requests will be
merged into an existing network if the SSID matches.
</para>
<figure><title>The "WLAN Traffic Statistics" window</title>
<graphic entityref="WiresharkStatsWLANTraffic" format="PNG"/>
</figure>
<para>
Each row in the list shows the statistical values for exactly one wireless network.
</para>
<para>
<command>Name resolution</command> will be done if selected in the window
and if it is active for the MAC layer.
</para>
<para>
<command>Only show existing networks</command> will exclude probe requests
with a SSID not matching any network from the list.
</para>
<para>
The <command>copy</command> button will copy the list values to the
clipboard in CSV (Comma Separated Values) format.
</para>
<tip><title>Tip!</title>
<para>
This window will be updated frequently, so it will be useful, even if
you open it before (or while) you are doing a live capture.
</para>
</tip>
</section>
<section id="ChStatXXX">
<title>The protocol specific statistics windows</title>
<para>
The protocol specific statistics windows display detailed information
of specific protocols and might be described in a later
version of this document.
</para>
<para>
Some of these statistics are described at the
<ulink url="&WiresharkWikiPage;/Statistics"/> pages.
</para>
</section>
</chapter>
<!-- End of WSUG Chapter Statistics -->
|
