From fb38fe857332a9c0fafc2952de3c6bea45cafba0 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Sat, 5 Feb 2022 20:22:21 -0500 Subject: [PATCH] doc: Document tshark -z stats Document the currently undocumented -z statistics for tshark. Note that all the stats added here exist in 3.6 as well. Fix #8353 (at least for now). --- doc/tshark.adoc | 189 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 142 insertions(+), 47 deletions(-) diff --git a/doc/tshark.adoc b/doc/tshark.adoc index c3bfef01e3..652ae40bca 100644 --- a/doc/tshark.adoc +++ b/doc/tshark.adoc @@ -1228,6 +1228,15 @@ Count the number of ANSI MAP messages of each type, and calculate the total number of bytes and average bytes of each message type. -- +*-z* asap,stat[,__filter__]:: ++ +-- +Calculate statistics on Aggregate Service Access Protocol (ASAP). +For each ASAP message type, displays the number, rate, and share among +all ASAP message types of both packets and bytes, and the first and last +time that it is seen. +-- + *-z* bacapp_instanceid,tree[,__filter__]:: + -- @@ -1260,6 +1269,15 @@ Displayed information includes source and destination address, object ID, and instance ID. -- +*-z* calcappprotocol,stat[,__filter__]:: ++ +-- +Calculate statistics on the Calculation Application Protocol of +Reliable Server Pooling. For each message type, displays the number, +rate, and share among all message types of both packets and bytes, +and the first and last time that it is seen. +-- + *-z* camel,counter[,__filter__]:: + -- @@ -1283,6 +1301,15 @@ of collectd packets and the total number of value segments, along with the host, plugin, and type of the values. -- +*-z* componentstatusprotocol,stat[,__filter__]:: ++ +-- +Calculate statistics on the Calculation Status Protocol of Reliable +Server Pooling. For each message type, displays the number, rate +and share among all message types of both packets and bytes, and the +first and last time that it is seen. +-- + *-z* conv,__type__[,__filter__]:: + -- @@ -1290,26 +1317,27 @@ Create a table that lists all conversations that could be seen in the capture. __type__ specifies the conversation endpoint types for which we want to generate the statistics; currently the supported ones are: - "bluetooth" Bluetooth addresses - "eth" Ethernet addresses - "fc" Fibre Channel addresses - "fddi" FDDI addresses - "ip" IPv4 addresses - "ipv6" IPv6 addresses - "ipx" IPX addresses - "jxta" JXTA message addresses - "mptcp" Multipath TCP connections - "ncp" NCP connections - "rsvp" RSVP connections - "sctp" SCTP addresses - "sll" Linux "cooked mode" capture addresses - "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported - "tr" Token Ring addresses - "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported - "usb" USB addresses - "wlan" IEEE 802.11 addresses - "wpan" IEEE 802.15.4 addresses - "zbee_nwk" ZigBee Network Layer addresses + "bluetooth" Bluetooth addresses + "dccp" DCCP/IP socket pairs Both IPv4 and IPv6 are supported + "eth" Ethernet addresses + "fc" Fibre Channel addresses + "fddi" FDDI addresses + "ip" IPv4 addresses + "ipv6" IPv6 addresses + "ipx" IPX addresses + "jxta" JXTA message addresses + "mptcp" Multipath TCP connections + "ncp" NCP connections + "rsvp" RSVP connections + "sctp" SCTP/IP socket pairs Both IPv4 and IPv6 are supported + "sll" Linux "cooked mode" capture addresses + "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported + "tr" Token Ring addresses + "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported + "usb" USB addresses + "wlan" IEEE 802.11 addresses + "wpan" IEEE 802.15.4 addresses + "zbee_nwk" ZigBee Network Layer addresses The table is presented with one line for each conversation and displays the number of packets/bytes in each direction as well as the total @@ -1428,26 +1456,27 @@ Create a table that lists all endpoints that could be seen in the capture. __type__ specifies the endpoint types for which we want to generate the statistics; currently the supported ones are: - "bluetooth" Bluetooth addresses - "eth" Ethernet addresses - "fc" Fibre Channel addresses - "fddi" FDDI addresses - "ip" IPv4 addresses - "ipv6" IPv6 addresses - "ipx" IPX addresses - "jxta" JXTA message addresses - "mptcp" Multipath TCP connections - "ncp" NCP connections - "rsvp" RSVP connections - "sctp" SCTP addresses - "sll" Linux "cooked mode" capture addresses - "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported - "tr" Token Ring addresses - "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported - "usb" USB addresses - "wlan" IEEE 802.11 addresses - "wpan" IEEE 802.15.4 addresses - "zbee_nwk" ZigBee Network Layer addresses + "bluetooth" Bluetooth addresses + "dccp" DCCP/IP socket pairs Both IPv4 and IPv6 are supported + "eth" Ethernet addresses + "fc" Fibre Channel addresses + "fddi" FDDI addresses + "ip" IPv4 addresses + "ipv6" IPv6 addresses + "ipx" IPX addresses + "jxta" JXTA message addresses + "mptcp" Multipath TCP connections + "ncp" NCP connections + "rsvp" RSVP connections + "sctp" SCTP/IP socket pairs Both IPv4 and IPv6 are supported + "sll" Linux "cooked mode" capture addresses + "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported + "tr" Token Ring addresses + "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported + "usb" USB addresses + "wlan" IEEE 802.11 addresses + "wpan" IEEE 802.15.4 addresses + "zbee_nwk" ZigBee Network Layer addresses The table is presented with one line for each conversation and displays the number of packets/bytes in each direction as well as the total @@ -1455,6 +1484,15 @@ number of packets/bytes. The table is sorted according to the total number of frames. -- +*-z* enrp,stat[,__filter__]:: ++ +-- +Calculate statistics on Endpoint Handlespace Redundancy Protocol (ENRP). +For each message type, displays the number, rate, and share among +all message types of both packets and bytes, and the first and last +time that it is seen. +-- + *-z* expert[__,error|,warn|,note|,chat|,comment__][,__filter__]:: + -- @@ -1470,6 +1508,41 @@ Example: *-z "expert,note,tcp"* will only collect expert items for frames that include the tcp protocol, with a severity of note or higher. -- +*-z* f1ap,tree[,__filter__]:: ++ +-- +Calculate the distribution of F1AP packets, grouped by packet types. +-- + +*-z* f5_tmm_dist,tree[,__filter__]:: ++ +-- +Calculate the F5 Ethernet trailer Traffic Managment Microkernel distribution. +Displayed information is the number of packets and bytes, grouped by the TMM +slot and number, whether packets are ingress or egress, and whether there is +a flow ID and virtual server name, a flow ID without virtual server name, or +no flow ID, along with total for all packets with F5 trailers. +-- + +*-z* f5_virt_dist,tree[,__filter__]:: ++ +-- +Calculate F5 Ethernet trailer Virtual Server distribution. +Displayed information is the number of packets and bytes, grouped by the +virtual server name if it exists, or by whether there is a flow ID or not +if there is no virtual server name, as well as totals for all packets with +F5 trailers. +-- + +*-z* fc,srt[,__filter__]:: ++ +-- +Collect requests/response SRT (Service Response Time) data for GTP. +Data collected is the number of request/response pairs, mimimum SRT, +maximum SRT, average SRT, and sum SRT for each value of the Type field +(next protocol). No statistics are gathered on unpaired messages. +-- + *-z* flow,__name__,__mode__[,__filter__]:: + -- @@ -1503,11 +1576,16 @@ __prot__ specifies the transport protocol. It can be one of: tcp TCP udp UDP + dccp DCCP tls TLS or SSL http HTTP streams http2 HTTP/2 streams quic QUIC streams +NOTE: While the usage help presents sip as an option, the proper +stream filters are not implemented so SIP calls cannot be followed +in *TShark*, only in *Wireshark*. + __mode__ specifies the output mode. It can be one of: ascii ASCII output with dots for non-printable characters @@ -1525,12 +1603,12 @@ __filter__ specifies the stream to be displayed. There are three formats: stream-index stream-index,substream-index -The first format specifies IP addresses and TCP or UDP port pairs. (TCP ports -are used for TLS, HTTP, and HTTP2; QUIC does not support address and port -matching because of connection migration.) +The first format specifies IP addresses and TCP, UDP, or DCCP port pairs. +(TCP ports are used for TLS, HTTP, and HTTP2; QUIC does not support address +and port matching because of connection migration.) -The second format specifies stream indices, and is used for TCP, UDP, TLS, and -HTTP. (TLS and HTTP use TCP stream indices.) +The second format specifies stream indices, and is used for TCP, UDP, DCCP, +TLS, and HTTP. (TLS and HTTP use TCP stream indices.) The third format, specifying streams and substreams, is used for HTTP/2 and QUIC due to their use of multiplexing. (TCP stream and HTTP/2 stream indices @@ -1586,6 +1664,15 @@ stream on the first TCP session (index 0) with HTTP/2 Stream ID 1. -- +*-z* fractalgeneratorprotocol,stat[,__filter__]:: ++ +-- +Calculate statistics on the Fractal Generator Protocol of Reliable +Server Pooling. For each message type, displays the number, rate +and share among all message types of both packets and bytes, and the +first and last time that it is seen. +-- + *-z* gsm_a:: + -- @@ -1668,7 +1755,7 @@ Example: *-z "h225_ras,rtd,ip.addr==1.2.3.4"* will only collect stats for ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . -- -*-z* hart_ip,tree,[,__filter__]:: +*-z* hart_ip,tree[,__filter__]:: + -- Calculate statistics on HART-IP packets, grouping by message types and @@ -2127,6 +2214,15 @@ the number of packets, number of packets with the RTP market bit set, number of AMR frames, jitter analysis, and sequence number analysis. -- +*-z* pingpongprotocol,stat[,__filter__]:: ++ +-- +Calculate statistics on the Ping Pong Protocol of Reliable +Server Pooling. For each message type, displays the number, rate +and share among all message types of both packets and bytes, and the +first and last time that it is seen. +-- + *-z* plen,tree[,__filter__]:: + -- @@ -2170,7 +2266,6 @@ This option can be used multiple times on the command line. Calculate statistics on port types that occur on IPv4 packets. -- - *-z* radius,rtd[,__filter__]:: + --