forked from osmocom/wireshark
dd7260d67f
svn path=/trunk/; revision=14674
509 lines
15 KiB
XML
509 lines
15 KiB
XML
<!-- EUG Chapter Statistics -->
|
|
<!-- $Id$ -->
|
|
|
|
<chapter id="ChStatistics">
|
|
<title>Statistics</title>
|
|
<section id="ChStatIntroduction">
|
|
<title>Introduction</title>
|
|
<para>
|
|
Ethereal provides a wide range of network statistics.
|
|
</para>
|
|
<para>
|
|
These statistics range
|
|
from general information about the loaded capture file (like the number of
|
|
captured packets), to statistics about specific protocols
|
|
(e.g. statistics about the number of HTTP requests and responses captured).
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
General statistics:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>Summary</command> about the capture file.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Protocol Hierarchy</command> of the captured packets.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Endpoints</command> e.g. traffic to and from an IP
|
|
addresses.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Conversations</command> e.g. traffic between specific IP
|
|
addresses.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>IO Graphs</command> visualizing the number of packets (or
|
|
similar) in time.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Protocol specific statistics:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>Service Response Time</command> between request and response
|
|
of some protocols.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Various other</command> protocol specific statistics.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
The protocol specific statistics requires detailed knowledge about the
|
|
specific protocol. Unless you are familiar with that protocol, statistics
|
|
about it will be pretty hard to understand.
|
|
</para>
|
|
</note>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChStatSummary">
|
|
<title>The "Summary" window</title>
|
|
<para>
|
|
General statistics about the current capture file.
|
|
</para>
|
|
<figure><title>The "Summary" window</title>
|
|
<graphic entityref="EtherealStatsSummary" format="PNG"/>
|
|
</figure>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>File</command> general information about the capture file.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Time</command> the timestamps when the first and the
|
|
last packet were capturing (and the time between them).</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Capture</command> information from the time when the
|
|
capture was done (only available if the packet data was captured from the
|
|
network and not loaded from a file).</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Display</command> some display related information.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Traffic</command> some statistics of the network traffic seen.
|
|
If a display filter is set, you will see values in both columns. The
|
|
values in the <command>Captured</command> column will remain the same as
|
|
before, while the values in the <command>Displayed</command> column will
|
|
reflect the values corresponding to the packets shown in the display.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section id="ChStatHierarchy">
|
|
<title>The "Protocol Hierarchy" window</title>
|
|
<para>
|
|
The protocol hierarchy of the captured packets.
|
|
<figure><title>The "Protocol Hierarchy" window</title>
|
|
<graphic entityref="EtherealStatsHierarchy" format="PNG"/>
|
|
</figure>
|
|
This is a tree of all the protocols in the capture. You can collapse or
|
|
expand subtrees, by clicking on the plus / minus icons. By default, all
|
|
trees are expanded.
|
|
</para>
|
|
<para>
|
|
Each row contains the statistical values of one protocol.
|
|
</para>
|
|
<para>
|
|
The following columns containing the statistical values are available:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>Protocol</command> this protocol's name</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>% Packets</command> the percentage of protocol packets,
|
|
relative to all packets in the capture</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Packets</command> the absolute number of packets of this
|
|
protocol</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Bytes</command> the absolute number of bytes of this
|
|
protocol</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>MBit/s</command> the bandwidth of this protocol, relative
|
|
to the capture time</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>End Packets</command> the absolute number of packets of this
|
|
protocol (where this protocol were the highest protocol to decode)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>End Bytes</command> the absolute number of bytes of this protocol
|
|
(where this protocol were the highest protocol to decode)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>End MBit/s</command> the bandwidth of this protocol, relative to
|
|
the capture time (where this protocol were the highest protocol to decode)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
Packets will usually contain multiple protocols, so more than one protocol
|
|
will be counted for each packet.
|
|
Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together
|
|
much more than 100%).
|
|
</para>
|
|
</note>
|
|
<note><title>Note!</title>
|
|
<para>
|
|
A single packet can contain the same protocol more than once. In this case,
|
|
the protocol is counted more than once. For example: in some tunneling
|
|
configurations the IP layer can appear twice.
|
|
</para>
|
|
</note>
|
|
</section>
|
|
|
|
<section id="ChStatEndpoints">
|
|
<title>Endpoints</title>
|
|
<para>
|
|
Statistics of the endpoints captured.
|
|
<tip><title>Tip!</title>
|
|
<para>
|
|
If you are looking for a feature other network tools call a <command>
|
|
hostlist</command>, here is the right place to look. The list of
|
|
Ethernet or IP endpoints is usually what you're looking for.
|
|
</para>
|
|
</tip>
|
|
</para>
|
|
<section id="ChStatEndpointDefinition"><title>What is an Endpoint?</title>
|
|
<para>
|
|
A network endpoint is the logical endpoint of separate protocol traffic of
|
|
a specific protocol layer. The endpoint statistics of Ethereal will take
|
|
the following endpoints into account:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Ethernet</command> an Ethernet endpoint is identical to the
|
|
Ethernet's MAC address.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Fibre Channel</command> XXX - insert info here.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>FDDI</command> a FDDI endpoint is identical to the FDDI MAC
|
|
address.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>IPv4</command> an IP endpoint is identical to its IP address.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>IPX</command> XXX - insert info here.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>TCP</command> a TCP endpoint is a combination of the IP address
|
|
and the TCP port used, so different TCP ports on the same IP address are
|
|
different TCP endpoints.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Token Ring</command> a Token Ring endpoint is identical to the
|
|
Token Ring MAC address.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>UDP</command> a UDP endpoint is a combination of the IP address
|
|
and the UDP port used, so different UDP ports on the same IP address are
|
|
different UDP endpoints.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note><title>Broadcast / multicast endpoints</title>
|
|
<para>
|
|
Broadcast / multicast traffic will be shown separately as additional
|
|
endpoints. Of course, as these endpoints are virtual endpoints, the real
|
|
traffic will be received by all (multicast: some) of the listed unicast
|
|
endpoints.
|
|
</para>
|
|
</note>
|
|
</section>
|
|
<section id="ChStatEndpointsWindow">
|
|
<title>The "Endpoints" window</title>
|
|
<para>
|
|
This window shows statistics about the endpoints captured.
|
|
</para>
|
|
<figure><title>The "Endpoints" window</title>
|
|
<graphic entityref="EtherealStatsEndpoints" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
For each supported protocol, a tab is shown in this window.
|
|
The tab labels shows the number of endpoints captured (e.g. the
|
|
tab label "Ethernet: 5" tells you that five ethernet endpoints have been
|
|
captured). If no endpoints of a specific protocol were captured, the tab
|
|
label will be
|
|
grayed out (although the related page can still be selected).
|
|
</para>
|
|
<para>
|
|
Each row in the list shows the statistical values for exactly one endpoint.
|
|
</para>
|
|
<para>
|
|
<command>Name resolution</command> will be done if selected in the window
|
|
and if it is active for the specific protocol layer (MAC layer for the
|
|
selected Ethernet endpoints page). As you might have noticed, the first
|
|
row has a name
|
|
resolution of the first three bytes "Netgear", the second row's address was
|
|
resolved to an IP address (using ARP) and the third was resolved
|
|
to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff), the last two
|
|
Ethernet addresses remain unresolved.
|
|
</para>
|
|
<tip><title>Tip!</title>
|
|
<para>
|
|
This window will be updated frequently, so it will be useful, even if
|
|
you open it before (or while) you are doing a live capture.
|
|
</para>
|
|
</tip>
|
|
</section>
|
|
<section id="ChStatEndpointListWindow">
|
|
<title>The protocol specific "Endpoint List" windows</title>
|
|
<para>
|
|
Before the combined window described above was available, each of its
|
|
pages were shown as separate windows. Even though the combined window is
|
|
much more convenient to use, these separate windows are still
|
|
available. The main reason is, they might process faster for
|
|
very large capture files. However, as the functionality is exactly the
|
|
same as in the combined window, they won't be discussed in detail here.
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="ChStatConversations">
|
|
<title>Conversations</title>
|
|
<para>
|
|
Statistics of the captured conversations.
|
|
</para>
|
|
<section><title>What is a Conversation?</title>
|
|
<para>
|
|
A network conversation is the traffic between two specific endpoints. For
|
|
example, an IP conversation is all the traffic between two IP addresses.
|
|
The description of the known endpoint types can be found in
|
|
<xref linkend="ChStatEndpointDefinition"/>.
|
|
</para>
|
|
</section>
|
|
<section id="ChStatConversationsWindow"><title>The "Conversations" window</title>
|
|
<para>
|
|
Beside the list content, the conversations window work the same way as the
|
|
endpoint ones, see <xref linkend="ChStatEndpointsWindow"/> for a
|
|
description how it works.
|
|
<figure><title>The "Conversations" window</title>
|
|
<graphic entityref="EtherealStatsConversations" format="PNG"/>
|
|
</figure>
|
|
</para>
|
|
</section>
|
|
<section id="ChStatConversationListWindow">
|
|
<title>The protocol specific "Conversation List" windows</title>
|
|
<para>
|
|
Before the combined window described above was available, each of its
|
|
pages were shown as separate windows. Even though the combined window is
|
|
much more convenient to use, these separate windows are still
|
|
available. The main reason is, they might process faster for
|
|
very large capture files. However, as the functionality is exactly the
|
|
same as in the combined window, they won't be discussed in detail here.
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="ChStatIOGraphs">
|
|
<title>The "IO Graphs" window</title>
|
|
<para>
|
|
User configurable graph of the captured network packets.
|
|
</para>
|
|
<para>
|
|
You can define up to five differently colored graphs.
|
|
</para>
|
|
|
|
<figure><title>The "IO Graphs" window</title>
|
|
<graphic entityref="EtherealStatsIOGraphs" format="PNG"/>
|
|
</figure>
|
|
|
|
<para>
|
|
The user can configure the following things:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>Graphs</command>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Graph 1-5</command> enable the graph 1-5 (only graph 1 is enabled
|
|
by default)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Color</command> the color of the graph (cannot be changed)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Filter:</command> a display filter for this graph (only the
|
|
packets that pass this filter will be taken into account for that graph)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Style:</command> the style of the graph (Line/Impulse/FBar)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>X Axis</command>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Tick interval</command> an interval in x direction lasts
|
|
(10/1/0.1/0.01/0.001 seconds)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Pixels per tick</command> use 10/5/2/1 pixels per tick interval
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>Y Axis</command>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>Unit</command> the unit for the y direction (Packets/Tick,
|
|
Bytes/Tick, Advanced...)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>Scale</command> the scale for the y unit
|
|
(10,20,50,100,200,500,...)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
XXX - describe the Advanced feature.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChStatSRT">
|
|
<title>Service Response Time</title>
|
|
<para>
|
|
The service response time is the time between a request and the
|
|
corresponding response. This information is available for many protocols.
|
|
</para>
|
|
<para>
|
|
Service response time statistics are currently available for the following
|
|
protocols:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>DCE-RPC</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>Fibre Channel</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>H.225 RAS</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>LDAP</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>MGCP</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>ONC-RPC</command></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><command>SMB</command></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
As an example, the DCE-RPC service response time is described in more
|
|
detail.
|
|
<note><title>Note!</title>
|
|
<para>
|
|
The other Service Response Time windows will work the same way (or only
|
|
slightly different) compared to the following description.
|
|
</para>
|
|
</note>
|
|
</para>
|
|
<section id="ChStatSRTDceRpc">
|
|
<title>The "Service Response Time DCE-RPC" window</title>
|
|
<para>
|
|
The service response time of DCE-RPC is the time between the request and
|
|
the corresponding response.
|
|
</para>
|
|
<para>
|
|
First of all, you have to select the DCE-RPC interface:
|
|
</para>
|
|
<figure><title>The "Compute DCE-RPC statistics" window</title>
|
|
<graphic entityref="EtherealStatsSrtDcerpcFilter" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
You can optionally set a display filter, to reduce the amount of packets.
|
|
</para>
|
|
<figure><title>The "DCE-RPC Statistic for ..." window</title>
|
|
<graphic entityref="EtherealStatsSrtDcerpc" format="PNG"/>
|
|
</figure>
|
|
<para>
|
|
Each row corresponds to a method of the interface selected (so the EPM
|
|
interface in version 3 has 7 methods). For each
|
|
method the number of calls, and the statistics of the SRT time is
|
|
calculated.
|
|
</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="ChStatXXX">
|
|
<title>The protocol specific statistics windows</title>
|
|
<para>
|
|
The protocol specific statistics windows display detailed information
|
|
of specific protocols and might be described in a later
|
|
version of this document.
|
|
</para>
|
|
<para>
|
|
Some of these statistics are described at the
|
|
<ulink url="http://wiki.ethereal.com/Statistics"/> pages.
|
|
</para>
|
|
</section>
|
|
|
|
</chapter>
|
|
<!-- End of EUG Chapter Statistics -->
|
|
|