forked from osmocom/wireshark
639 lines
18 KiB
Plaintext
639 lines
18 KiB
Plaintext
// WSUG Chapter Statistics
|
||
|
||
[[ChStatistics]]
|
||
|
||
== Statistics
|
||
|
||
[[ChStatIntroduction]]
|
||
|
||
=== Introduction
|
||
|
||
Wireshark provides a wide range of network statistics which can be accessed via
|
||
the menu:Statistics[] menu.
|
||
|
||
These statistics range from general information about the loaded capture file
|
||
(like the number of captured packets), to statistics about specific protocols
|
||
(e.g. statistics about the number of HTTP requests and responses captured).
|
||
|
||
.General statistics
|
||
|
||
- *Capture File Properties* about the capture file.
|
||
|
||
- *Protocol Hierarchy* of the captured packets.
|
||
|
||
- *Conversations* e.g. traffic between specific IP addresses.
|
||
|
||
- *Endpoints* e.g. traffic to and from an IP addresses.
|
||
|
||
- *I/O Graphs* visualizing the number of packets (or similar) in time.
|
||
|
||
.Protocol specific statistics
|
||
|
||
- *Service Response Time* between request and response of some protocols.
|
||
|
||
- Various other protocol specific statistics.
|
||
|
||
[NOTE]
|
||
====
|
||
The protocol specific statistics require detailed knowledge about the specific
|
||
protocol. Unless you are familiar with that protocol, statistics about it may
|
||
be difficult to understand.
|
||
====
|
||
|
||
Wireshark has many other statistics windows that display detailed
|
||
information about specific protocols and might be described in a later
|
||
version of this document.
|
||
|
||
Some of these statistics are described at
|
||
{wireshark-wiki-url}Statistics.
|
||
|
||
[[ChStatSummary]]
|
||
|
||
=== The “Capture File Properties” Dialog
|
||
|
||
General information about the current capture file.
|
||
|
||
.The “Capture File Properties” dialog
|
||
image::wsug_graphics/ws-capture-file-properties.png[{screenshot-attrs}]
|
||
|
||
This dialog shows the following information:
|
||
|
||
Details::
|
||
Notable information about the capture file.
|
||
|
||
File:::
|
||
General information about the capture file, including its full path, size, cryptographic hashes, file format, and encapsulation.
|
||
|
||
Time:::
|
||
The timestamps of the first and the last packet in the file along with their difference.
|
||
|
||
Capture:::
|
||
Information about the capture environment.
|
||
This will only be shown for live captures or if this information is present in a saved capture file.
|
||
The pcapng format supports this, while pcap doesn’t.
|
||
|
||
Interfaces:::
|
||
Information about the capture interface or interfaces.
|
||
|
||
Statistics:::
|
||
A statistical summary of the capture file.
|
||
If a display filter is set, you will see values in the _Captured_ column, and if any packets are marked, you will see values in the _Marked_ column.
|
||
The values in the _Captured_ column will remain the same as before, while the values in the _Displayed_ column will reflect the values corresponding to the packets shown in the display.
|
||
The values in the _Marked_ column will reflect the values corresponding to the marked packages.
|
||
|
||
Capture file comments::
|
||
Some capture file formats (notably pcapng) allow a text comment for the entire file.
|
||
You can view and edit this comment here.
|
||
|
||
btn:[Refresh]::
|
||
Updates the information in the dialog.
|
||
|
||
btn:[Save Comments]::
|
||
Saves the contents of the “Capture file comments” text entry.
|
||
|
||
btn:[Close]::
|
||
Closes the dialog
|
||
|
||
btn:[Copy To Clipboard]::
|
||
Copies the “Details” information to the clipboard.
|
||
|
||
btn:[Help]::
|
||
Opens this section of the User’s Guide.
|
||
|
||
[[ChStatResolvedAddresses]]
|
||
|
||
=== Resolved Addresses
|
||
|
||
{missing}
|
||
|
||
[[ChStatHierarchy]]
|
||
|
||
=== The “Protocol Hierarchy” Window
|
||
|
||
The protocol hierarchy of the captured packets.
|
||
|
||
.The “Protocol Hierarchy” Window
|
||
image::wsug_graphics/ws-stats-hierarchy.png[{screenshot-attrs}]
|
||
|
||
This is a tree of all the protocols in the capture. Each row contains the
|
||
statistical values of one protocol. Two of the columns (_Percent Packets_ and
|
||
_Percent Bytes_) serve double duty as bar graphs. If a display filter is set it
|
||
will be shown at the bottom.
|
||
|
||
The btn:[Copy] button will let you copy the window contents as CSV or YAML.
|
||
|
||
.Protocol hierarchy columns
|
||
|
||
Protocol::
|
||
This protocol’s name.
|
||
|
||
Percent Packets::
|
||
The percentage of protocol packets relative to all packets in the capture.
|
||
|
||
Packets::
|
||
The total number of packets of this protocol.
|
||
|
||
Percent Bytes::
|
||
The percentage of protocol bytes relative to the total bytes in the capture.
|
||
|
||
Bytes::
|
||
The total number of bytes of this protocol.
|
||
|
||
Bits/s::
|
||
The bandwidth of this protocol relative to the capture time.
|
||
|
||
End Packets::
|
||
The absolute number of packets of this protocol where it was the highest protocol in the stack (last dissected).
|
||
|
||
End Bytes::
|
||
The absolute number of bytes of this protocol where it was the highest protocol in the stack (last dissected).
|
||
|
||
End Bits/s::
|
||
The bandwidth of this protocol relative to the capture time where was the highest protocol in the stack (last dissected).
|
||
|
||
Packets usually contain multiple protocols. As a result more than one protocol will
|
||
be counted for each packet. Example: In the screenshot IP has 99.9% and TCP
|
||
98.5% (which is together much more than 100%).
|
||
|
||
Protocol layers can consist of packets that won’t contain any higher layer
|
||
protocol, so the sum of all higher layer packets may not sum up to the protocols
|
||
packet count. Example: In the screenshot TCP has 98.5% but the sum of the
|
||
subprotocols (TLS, HTTP, etc) is much less. This can be caused by continuation
|
||
frames, TCP protocol overhead, and other undissected data.
|
||
|
||
A single packet can contain the same protocol more than once. In this case, the
|
||
protocol is counted more than once. For example ICMP replies and many tunneling
|
||
protocols will carry more than one IP header.
|
||
|
||
[[ChStatConversations]]
|
||
|
||
=== Conversations
|
||
|
||
A network conversation is the traffic between two specific endpoints. For
|
||
example, an IP conversation is all the traffic between two IP addresses. The
|
||
description of the known endpoint types can be found in
|
||
<<ChStatEndpoints>>.
|
||
|
||
[[ChStatConversationsWindow]]
|
||
|
||
==== The “Conversations” Window
|
||
|
||
The conversations window is similar to the endpoint Window. See
|
||
<<ChStatEndpointsWindow>> for a description of their common features. Along with
|
||
addresses, packet counters, and byte counters the conversation window adds four
|
||
columns: the start time of the conversation (“Rel Start”) or (“Abs Start”),
|
||
the duration of the conversation in seconds, and the average bits (not bytes)
|
||
per second in each direction. A timeline graph is also drawn across the
|
||
“Rel Start” / “Abs Start” and “Duration” columns.
|
||
|
||
.The “Conversations” window
|
||
image::wsug_graphics/ws-stats-conversations.png[{screenshot-attrs}]
|
||
|
||
Each row in the list shows the statistical values for exactly one conversation.
|
||
|
||
_Name resolution_ will be done if selected in the window and if it is active for
|
||
the specific protocol layer (MAC layer for the selected Ethernet endpoints
|
||
page). _Limit to display filter_ will only show conversations matching the
|
||
current display filter. _Absolute start time_ switches the start time column
|
||
between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start
|
||
times match the “Seconds Since Beginning of Capture” time display format in the
|
||
packet list and absolute start times match the “Time of Day” display format.
|
||
|
||
The btn:[Copy] button will copy the list values to the clipboard in CSV
|
||
(Comma Separated Values) or YAML format. The btn:[Follow Stream...] button
|
||
will show the stream contents as described in <<ChAdvFollowStream>> dialog. The
|
||
btn:[Graph...] button will show a graph as described in <<ChStatIOGraphs>>.
|
||
|
||
btn:[Conversation Types] lets you choose which traffic type tabs are shown.
|
||
See <<ChStatEndpoints>> for a list of endpoint types. The enabled types
|
||
are saved in your profile settings.
|
||
|
||
[TIP]
|
||
====
|
||
This window will be updated frequently so it will be useful even if you open
|
||
it before (or while) you are doing a live capture.
|
||
====
|
||
|
||
// Removed:
|
||
// [[ChStatConversationListWindow]]
|
||
|
||
[[ChStatEndpoints]]
|
||
|
||
=== Endpoints
|
||
|
||
A network endpoint is the logical endpoint of separate protocol traffic of a
|
||
specific protocol layer. The endpoint statistics of Wireshark will take the
|
||
following endpoints into account:
|
||
|
||
[TIP]
|
||
====
|
||
If you are looking for a feature other network tools call a _hostlist_, here is
|
||
the right place to look. The list of Ethernet or IP endpoints is usually what
|
||
you’re looking for.
|
||
====
|
||
|
||
.Endpoint and Conversation types
|
||
|
||
Bluetooth:: A MAC-48 address similar to Ethernet.
|
||
|
||
Ethernet:: Identical to the Ethernet device’s MAC-48 identifier.
|
||
|
||
Fibre Channel:: A MAC-48 address similar to Ethernet.
|
||
|
||
IEEE 802.11:: A MAC-48 address similar to Ethernet.
|
||
|
||
FDDI:: Identical to the FDDI MAC-48 address.
|
||
|
||
IPv4:: Identical to the 32-bit IPv4 address.
|
||
|
||
IPv6:: Identical to the 128-bit IPv6 address.
|
||
|
||
IPX:: A concatenation of a 32 bit network number and 48 bit node address, by
|
||
default the Ethernet interface’s MAC-48 address.
|
||
|
||
JXTA:: A 160 bit SHA-1 URN.
|
||
|
||
NCP:: Similar to IPX.
|
||
|
||
RSVP:: A combination of varios RSVP session attributes and IPv4 addresses.
|
||
|
||
SCTP:: A combination of the host IP addresses (plural) and
|
||
the SCTP port used. So different SCTP ports on the same IP address are different
|
||
SCTP endpoints, but the same SCTP port on different IP addresses of the same
|
||
host are still the same endpoint.
|
||
|
||
TCP:: A combination of the IP address and the TCP port used.
|
||
Different TCP ports on the same IP address are different TCP endpoints.
|
||
|
||
Token Ring:: Identical to the Token Ring MAC-48 address.
|
||
|
||
UDP:: A combination of the IP address and the UDP port used, so different UDP
|
||
ports on the same IP address are different UDP endpoints.
|
||
|
||
USB:: Identical to the 7-bit USB address.
|
||
|
||
[NOTE]
|
||
.Broadcast and multicast endpoints
|
||
====
|
||
Broadcast and multicast traffic will be shown separately as additional
|
||
endpoints. Of course, as these aren’t physical endpoints the real traffic
|
||
will be received by some or all of the listed unicast endpoints.
|
||
====
|
||
|
||
[[ChStatEndpointsWindow]]
|
||
|
||
==== The “Endpoints” Window
|
||
|
||
This window shows statistics about the endpoints captured.
|
||
|
||
.The “Endpoints” window
|
||
image::wsug_graphics/ws-stats-endpoints.png[{screenshot-attrs}]
|
||
|
||
For each supported protocol, a tab is shown in this window. Each tab label shows
|
||
the number of endpoints captured (e.g. the tab label “Ethernet · 4” tells
|
||
you that four ethernet endpoints have been captured). If no endpoints of a
|
||
specific protocol were captured, the tab label will be greyed out (although the
|
||
related page can still be selected).
|
||
|
||
Each row in the list shows the statistical values for exactly one endpoint.
|
||
|
||
_Name resolution_ will be done if selected in the window and if it is
|
||
active for the specific protocol layer (MAC layer for the selected
|
||
Ethernet endpoints page). _Limit to display filter_ will only show
|
||
conversations matching the current display filter. Note that in this
|
||
example we have MaxMind DB configured which gives us extra geographic
|
||
columns. See <<ChMaxMindDbPaths>> for more information.
|
||
|
||
The btn:[Copy] button will copy the list values to the clipboard in CSV
|
||
(Comma Separated Values) or YAML format. The btn:[Map] button will show the
|
||
endpoints mapped in your web browser.
|
||
|
||
btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See
|
||
<<ChStatEndpoints>> above for a list of endpoint types. The enabled
|
||
types are saved in your profile settings.
|
||
|
||
[TIP]
|
||
====
|
||
This window will be updated frequently, so it will be useful even if you open
|
||
it before (or while) you are doing a live capture.
|
||
====
|
||
|
||
// Removed:
|
||
// [[ChStatEndpointListWindow]]
|
||
|
||
|
||
[[ChStatPacketLengths]]
|
||
|
||
=== Packet Lengths
|
||
|
||
Shows the distribution of packet lengths and related information.
|
||
|
||
.The “Packet Lengths” window
|
||
image::wsug_graphics/ws-stats-packet-lengths.png[{medium-screenshot-attrs}]
|
||
|
||
Information is broken down by packet length ranges as shown above.
|
||
|
||
Packet Lengths::
|
||
The range of packet lengths.
|
||
+
|
||
Ranges can be configured in the “Statistics -> Stats Tree” section of the <<ChCustPreferencesSection,Preferences Dialog>>.
|
||
|
||
Count::
|
||
The number of packets that fall into this range.
|
||
|
||
Average::
|
||
The arithmetic mean length of the packets in this range.
|
||
|
||
Min Val, Max Val::
|
||
The minimum and maximum lengths in this range.
|
||
|
||
Rate (ms)::
|
||
The average packets per millisecond for the packets in this range.
|
||
|
||
Percent::
|
||
The percentage of packets in this range, by count.
|
||
|
||
Burst Rate::
|
||
Packet bursts are detected by counting the number of packets in a given time interval and comparing that count to the intervals across a window of time.
|
||
Statistics for the interval with the maximum number of packets are shown.
|
||
By default, bursts are detected across 5 millisecond intervals and intervals are compared across 100 millisecond windows.
|
||
+
|
||
These calculations can be adjusted in the “Statistics” section of the <<ChCustPreferencesSection,Preferences Dialog>>.
|
||
|
||
Burst Start::
|
||
The start time, in seconds from the beginning of the capture, for the interval with the maximum number of packets.
|
||
|
||
You can show statistics for a portion of the capture by entering a display filter into the _Display filter_ entry and pressing btn:[Apply].
|
||
|
||
btn:[Copy] copies the statistics to the clipboard.
|
||
btn:[Save as...] lets you save the data as text, CSV, YAML, or XML.
|
||
|
||
[[ChStatIOGraphs]]
|
||
|
||
=== The “I/O Graph” Window
|
||
|
||
User configurable graph of the captured network packets.
|
||
|
||
You can define up to five differently colored graphs.
|
||
|
||
.The “I/O Graphs” window
|
||
image::wsug_graphics/ws-stats-iographs.png[{screenshot-attrs}]
|
||
|
||
The user can configure the following things:
|
||
|
||
* _Graphs_
|
||
|
||
- __Graph 1-5__: enable the specific graph 1-5 (only graph 1 is enabled by default)
|
||
|
||
- __Color__: the color of the graph (cannot be changed)
|
||
|
||
- __Filter__: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
|
||
|
||
- __Style__: the style of the graph (Line/Impulse/FBar/Dot)
|
||
|
||
* _X Axis_
|
||
|
||
- __Tick interval__: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
|
||
|
||
- __Pixels per tick__: use 10/5/2/1 pixels per tick interval
|
||
|
||
- __View as time of day__: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
|
||
|
||
* _Y Axis_
|
||
|
||
- __Unit__: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...) [XXX - describe the Advanced feature.]
|
||
|
||
- __Scale__: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...)
|
||
|
||
The btn:[Save] button will save the currently displayed portion of the graph as one
|
||
of various file formats.
|
||
|
||
The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV
|
||
(Comma Separated Values) format.
|
||
|
||
|
||
[TIP]
|
||
====
|
||
Click in the graph to select the first package in the selected interval.
|
||
====
|
||
|
||
// Applies to the Qt verson:
|
||
// .Missing Values Are Zero
|
||
|
||
// Wireshark's I/O Graph window doesn’t distinguish between missing and zero values.
|
||
// For _plain_ scatter plots, it is assumed that zero values indicate missing data, and those values are ommitted.
|
||
// Zero values are shown in line graphs, bar charts, and _calculated_ scatter plots.
|
||
// Scatter plots are considered calculated if they have a calculated Y axis field or if a moving average is set.
|
||
|
||
// If you need to display zero values in a scatter plot, you can do so by making the Y Axis a calculated field.
|
||
// For example, the calculated equivalent of “Packets” is a “COUNT FRAMES” Y Axis with a Y Field set to “frame”.
|
||
|
||
[[ChStatSRT]]
|
||
|
||
=== Service Response Time
|
||
|
||
The service response time is the time between a request and the corresponding
|
||
response. This information is available for many protocols.
|
||
|
||
Service response time statistics are currently available for the following protocols:
|
||
|
||
* _DCE-RPC_
|
||
|
||
* _Fibre Channel_
|
||
|
||
* _H.225 RAS_
|
||
|
||
* _LDAP_
|
||
|
||
* _LTE MAC_
|
||
|
||
* _MGCP_
|
||
|
||
* _ONC-RPC_
|
||
|
||
* _SMB_
|
||
|
||
As an example, the DCE-RPC service response time is described in more detail.
|
||
|
||
[NOTE]
|
||
====
|
||
The other Service Response Time windows will work the same way (or only slightly
|
||
different) compared to the following description.
|
||
====
|
||
|
||
[[ChStatSRTDceRpc]]
|
||
|
||
==== The “Service Response Time DCE-RPC” Window
|
||
|
||
The service response time of DCE-RPC is the time between the request and the
|
||
corresponding response.
|
||
|
||
First, you have to select the DCE-RPC interface:
|
||
|
||
.The “Compute DCE-RPC statistics” window
|
||
image::wsug_graphics/ws-stats-srt-dcerpc-filter.png[{screenshot-attrs}]
|
||
|
||
You can optionally set a display filter to reduce the number of packets.
|
||
|
||
.The “DCE-RPC Statistic for ...” window
|
||
image::wsug_graphics/ws-stats-srt-dcerpc.png[{screenshot-attrs}]
|
||
|
||
Each row corresponds to a method of the interface selected (so the EPM interface
|
||
in version 3 has 7 methods). For each method the number of calls, and the
|
||
statistics of the SRT time is calculated.
|
||
|
||
[[ChStatDHCPBOOTP]]
|
||
|
||
=== DHCP (BOOTP) Statistics
|
||
|
||
{missing}
|
||
|
||
[[ChStatONCRPC]]
|
||
|
||
=== ONC-RPC Programs
|
||
|
||
{missing}
|
||
|
||
[[ChStat29West]]
|
||
|
||
=== 29West
|
||
|
||
{missing}
|
||
|
||
[[ChStatANCP]]
|
||
|
||
=== ANCP
|
||
|
||
{missing}
|
||
|
||
[[ChStatBACnet]]
|
||
|
||
=== BACnet
|
||
|
||
{missing}
|
||
|
||
[[ChStatCollectd]]
|
||
|
||
=== Collectd
|
||
|
||
{missing}
|
||
|
||
[[ChStatDNS]]
|
||
|
||
=== DNS
|
||
|
||
{missing}
|
||
|
||
[[ChStatFlowGraph]]
|
||
|
||
=== Flow Graph
|
||
|
||
{missing}
|
||
|
||
[[ChStatHARTIP]]
|
||
|
||
=== HART-IP
|
||
|
||
{missing}
|
||
|
||
[[ChStatHPFEEDS]]
|
||
|
||
=== HPFEEDS
|
||
|
||
{missing}
|
||
|
||
[[ChStatHTTP]]
|
||
|
||
=== HTTP Statistics
|
||
|
||
[[ChStatHTTPPacketCounter]]
|
||
|
||
==== HTTP Packet Counter
|
||
|
||
Statistics for HTTP request types and response codes.
|
||
|
||
[[ChStatHTTPRequests]]
|
||
|
||
==== HTTP Requests
|
||
|
||
HTTP statistics based on the host and URI.
|
||
|
||
[[ChStatHTTPLoadDistribution]]
|
||
|
||
==== HTTP Load Distribution
|
||
|
||
HTTP request and response statistics based on the server address and host.
|
||
|
||
[[ChStatHTTPRequestSequences]]
|
||
|
||
==== HTTP Request Sequences
|
||
|
||
HTTP Request Sequences uses HTTP's Referer and Location headers to sequence a
|
||
capture's HTTP requests as a tree. This enables analysts to see how one HTTP
|
||
request leads to the next.
|
||
|
||
.The “HTTP Request Sequences” window
|
||
image::wsug_graphics/ws-stats-http-requestsequences.png[{screenshot-attrs}]
|
||
|
||
|
||
[[ChStatHTTP2]]
|
||
|
||
=== HTTP2
|
||
|
||
{missing}
|
||
|
||
[[ChStatSametime]]
|
||
|
||
=== Sametime
|
||
|
||
{missing}
|
||
|
||
[[ChStatTCPStreamGraphs]]
|
||
|
||
=== TCP Stream Graphs
|
||
|
||
Show different visual representations of the TCP streams in a capture.
|
||
|
||
Time Sequence (Stevens):: This is a simple graph of the TCP sequence
|
||
number over time, similar to the ones used in Richard Stevens’ “TCP/IP
|
||
Illustrated” series of books.
|
||
|
||
Time Sequence (tcptrace):: Shows TCP metrics similar to the
|
||
http://www.tcptrace.org/[tcptrace] utility, including forward segments,
|
||
acknowledgements, selective acknowledgements, reverse window sizes, and
|
||
zero windows.
|
||
|
||
Throughput:: Average throughput and goodput.
|
||
|
||
Round Trip Time:: Round trip time vs time or sequence number. RTT is
|
||
based on the acknowledgement timestamp corresponding to a particular
|
||
segment.
|
||
|
||
Window Scaling:: Window size and outstanding bytes.
|
||
|
||
[[ChStatUDPMulticastGraphs]]
|
||
|
||
=== UDP Multicast Graphs
|
||
|
||
{missing}
|
||
|
||
[[ChStatF5]]
|
||
|
||
=== F5
|
||
|
||
{missing}
|
||
|
||
[[ChStatIPv4]]
|
||
|
||
=== IPv4 Statistics
|
||
|
||
{missing}
|
||
|
||
[[ChStatIPv6]]
|
||
|
||
=== IPv6 Statistics
|
||
|
||
{missing}
|
||
|
||
// End of WSUG Chapter Statistics
|