osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_chapter_statistics.adoc

559 lines
15 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// WSUG Chapter Statistics
[[ChStatistics]]
== Statistics
[[ChStatIntroduction]]
=== Introduction
Wireshark provides a wide range of network statistics which can be accessed via
the menu:Statistics[] menu.
These statistics range from general information about the loaded capture file
(like the number of captured packets), to statistics about specific protocols
(e.g. statistics about the number of HTTP requests and responses captured).
* General statistics:
- *Capture File Properties* about the capture file.
- *Protocol Hierarchy* of the captured packets.
- *Conversations* e.g. traffic between specific IP addresses.
- *Endpoints* e.g. traffic to and from an IP addresses.
- *IO Graphs* visualizing the number of packets (or similar) in time.
* Protocol specific statistics:
- *Service Response Time* between request and response of some protocols.
- Various other protocol specific statistics.
[NOTE]
====
The protocol specific statistics require detailed knowledge about the specific
protocol. Unless you are familiar with that protocol, statistics about it will
be pretty hard to understand.
====
Wireshark has many other statistics windows that display detailed
information about specific protocols and might be described in a later
version of this document.
Some of these statistics are described at
{wireshark-wiki-url}Statistics.
[[ChStatSummary]]
=== The “Capture File Properties” Window
General statistics about the current capture file.
.The “Capture File Properties” window
image::wsug_graphics/ws-stats-summary.png[{screenshot-attrs}]
* __File__: general information about the capture file.
* __Time__: the timestamps when the first and the last packet were captured (and
the time between them).
* __Capture__: information from the time when the capture was done (only
available if the packet data was captured from the network and not loaded from
a file).
* __Interface__: information about the capture interface.
* __Statistics__: some statistics of the network traffic seen. If a display
filter is set, you will see values in the Captured column, and if any
packages are marked, you will see values in the Marked column. The values
in the _Captured_ column will remain the same as before, while the values
in the _Displayed_ column will reflect the values corresponding to the
packets shown in the display. The values in the _Marked_ column will
reflect the values corresponding to the marked packages.
[[ChStatResolvedAddresses]]
=== Resolved Addresses
{missing}
[[ChStatHierarchy]]
=== The “Protocol Hierarchy” Window
The protocol hierarchy of the captured packets.
.The “Protocol Hierarchy” Window
image::wsug_graphics/ws-stats-hierarchy.png[{screenshot-attrs}]
This is a tree of all the protocols in the capture. Each row contains the
statistical values of one protocol. Two of the columns (_Percent Packets_ and
_Percent Bytes_) serve double duty as bar graphs. If a display filter is set it
will be shown at the bottom.
The btn:[Copy] button will let you copy the window contents as CSV or YAML.
.Protocol hierarchy columns
_Protocol_:: This protocols name
_Percent Packets_:: The percentage of protocol packets relative to all packets in
the capture
_Packets_:: The total number of packets of this protocol
_Percent Bytes_:: The percentage of protocol bytes relative to the total bytes in
the capture
_Bytes_:: The total number of bytes of this protocol
_Bits/s_:: The bandwidth of this protocol relative to the capture time
_End Packets_:: The absolute number of packets of this protocol where it
was the highest protocol in the stack (last dissected)
_End Bytes_:: The absolute number of bytes of this protocol where it
was the highest protocol in the stack (last dissected)
_End Bits/s_:: The bandwidth of this protocol relative to the capture time where
was the highest protocol in the stack (last dissected)
Packets usually contain multiple protocols. As a result more than one protocol will
be counted for each packet. Example: In the screenshot IP has 99.9% and TCP
98.5% (which is together much more than 100%).
Protocol layers can consist of packets that wont contain any higher layer
protocol, so the sum of all higher layer packets may not sum up to the protocols
packet count. Example: In the screenshot TCP has 98.5% but the sum of the
subprotocols (TLS, HTTP, etc) is much less. This can be caused by continuation
frames, TCP protocol overhead, and other undissected data.
A single packet can contain the same protocol more than once. In this case, the
protocol is counted more than once. For example ICMP replies and many tunneling
protocols will carry more than one IP header.
[[ChStatConversations]]
=== Conversations
A network conversation is the traffic between two specific endpoints. For
example, an IP conversation is all the traffic between two IP addresses. The
description of the known endpoint types can be found in
<<ChStatEndpoints>>.
[[ChStatConversationsWindow]]
==== The “Conversations” Window
The conversations window is similar to the endpoint Window. See
<<ChStatEndpointsWindow>> for a description of their common features. Along with
addresses, packet counters, and byte counters the conversation window adds four
columns: the start time of the conversation (“Rel Start”) or (“Abs Start”),
the duration of the conversation in seconds, and the average bits (not bytes)
per second in each direction. A timeline graph is also drawn across the
“Rel Start” / “Abs Start” and “Duration” columns.
.The “Conversations” window
image::wsug_graphics/ws-stats-conversations.png[{screenshot-attrs}]
Each row in the list shows the statistical values for exactly one conversation.
_Name resolution_ will be done if selected in the window and if it is active for
the specific protocol layer (MAC layer for the selected Ethernet endpoints
page). _Limit to display filter_ will only show conversations matching the
current display filter. _Absolute start time_ switches the start time column
between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start
times match the “Seconds Since Beginning of Capture” time display format in the
packet list and absolute start times match the “Time of Day” display format.
The btn:[Copy] button will copy the list values to the clipboard in CSV
(Comma Separated Values) or YAML format. The btn:[Follow Stream...] button
will show the stream contents as described in <<ChAdvFollowStream>> dialog. The
btn:[Graph...] button will show a graph as described in <<ChStatIOGraphs>>.
btn:[Conversation Types] lets you choose which traffic type tabs are shown.
See <<ChStatEndpoints>> for a list of endpoint types. The enabled types
are saved in your profile settings.
[TIP]
====
This window will be updated frequently so it will be useful even if you open
it before (or while) you are doing a live capture.
====
// Removed:
// [[ChStatConversationListWindow]]
[[ChStatEndpoints]]
=== Endpoints
A network endpoint is the logical endpoint of separate protocol traffic of a
specific protocol layer. The endpoint statistics of Wireshark will take the
following endpoints into account:
[TIP]
====
If you are looking for a feature other network tools call a _hostlist_, here is
the right place to look. The list of Ethernet or IP endpoints is usually what
youre looking for.
====
.Endpoint and Conversation types
_Bluetooth_:: A MAC-48 address similar to Ethernet.
_Ethernet_:: Identical to the Ethernet devices MAC-48 identifier.
_Fibre Channel_:: A MAC-48 address similar to Ethernet.
_IEEE 802.11_:: A MAC-48 address similar to Ethernet.
_FDDI_:: Identical to the FDDI MAC-48 address.
_IPv4_:: Identical to the 32-bit IPv4 address.
_IPv6_:: Identical to the 128-bit IPv6 address.
_IPX_:: A concatenation of a 32 bit network number and 48 bit node address, by
default the Ethernet interfaces MAC-48 address.
_JXTA_:: A 160 bit SHA-1 URN.
_NCP_:: Similar to IPX.
_RSVP_:: A combination of varios RSVP session attributes and IPv4 addresses.
_SCTP_:: A combination of the host IP addresses (plural) and
the SCTP port used. So different SCTP ports on the same IP address are different
SCTP endpoints, but the same SCTP port on different IP addresses of the same
host are still the same endpoint.
_TCP_:: A combination of the IP address and the TCP port used.
Different TCP ports on the same IP address are different TCP endpoints.
_Token Ring_:: Identical to the Token Ring MAC-48 address.
_UDP_:: A combination of the IP address and the UDP port used, so different UDP
ports on the same IP address are different UDP endpoints.
_USB_:: Identical to the 7-bit USB address.
[NOTE]
.Broadcast and multicast endpoints
====
Broadcast and multicast traffic will be shown separately as additional
endpoints. Of course, as these arent physical endpoints the real traffic
will be received by some or all of the listed unicast endpoints.
====
[[ChStatEndpointsWindow]]
==== The “Endpoints” Window
This window shows statistics about the endpoints captured.
.The “Endpoints” window
image::wsug_graphics/ws-stats-endpoints.png[{screenshot-attrs}]
For each supported protocol, a tab is shown in this window. Each tab label shows
the number of endpoints captured (e.g. the tab label “Ethernet &#183; 4” tells
you that four ethernet endpoints have been captured). If no endpoints of a
specific protocol were captured, the tab label will be greyed out (although the
related page can still be selected).
Each row in the list shows the statistical values for exactly one endpoint.
_Name resolution_ will be done if selected in the window and if it is
active for the specific protocol layer (MAC layer for the selected
Ethernet endpoints page). _Limit to display filter_ will only show
conversations matching the current display filter. Note that in this
example we have MaxMind DB configured which gives us extra geographic
columns. See <<ChMaxMindDbPaths>> for more information.
The btn:[Copy] button will copy the list values to the clipboard in CSV
(Comma Separated Values) or YAML format. The btn:[Map] button will show the
endpoints mapped in your web browser.
btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See
<<ChStatEndpoints>> above for a list of endpoint types. The enabled
types are saved in your profile settings.
[TIP]
====
This window will be updated frequently, so it will be useful even if you open
it before (or while) you are doing a live capture.
====
// Removed:
// [[ChStatEndpointListWindow]]
[[ChStatPacketLengths]]
=== Packet Lengths
{missing}
[[ChStatIOGraphs]]
=== The “I/O Graph” Window
User configurable graph of the captured network packets.
You can define up to five differently colored graphs.
.The “IO Graphs” window
image::wsug_graphics/ws-stats-iographs.png[{screenshot-attrs}]
The user can configure the following things:
* _Graphs_
- __Graph 1-5__: enable the specific graph 1-5 (only graph 1 is enabled by default)
- __Color__: the color of the graph (cannot be changed)
- __Filter__: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
- __Style__: the style of the graph (Line/Impulse/FBar/Dot)
* _X Axis_
- __Tick interval__: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
- __Pixels per tick__: use 10/5/2/1 pixels per tick interval
- __View as time of day__: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
* _Y Axis_
- __Unit__: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...) [XXX - describe the Advanced feature.]
- __Scale__: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...)
The btn:[Save] button will save the currently displayed portion of the graph as one
of various file formats.
The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV
(Comma Separated Values) format.
[TIP]
====
Click in the graph to select the first package in the selected interval.
====
[[ChStatSRT]]
=== Service Response Time
The service response time is the time between a request and the corresponding
response. This information is available for many protocols.
Service response time statistics are currently available for the following protocols:
* _DCE-RPC_
* _Fibre Channel_
* _H.225 RAS_
* _LDAP_
* _LTE MAC_
* _MGCP_
* _ONC-RPC_
* _SMB_
As an example, the DCE-RPC service response time is described in more detail.
[NOTE]
====
The other Service Response Time windows will work the same way (or only slightly
different) compared to the following description.
====
[[ChStatSRTDceRpc]]
==== The “Service Response Time DCE-RPC” Window
The service response time of DCE-RPC is the time between the request and the
corresponding response.
First of all, you have to select the DCE-RPC interface:
.The “Compute DCE-RPC statistics” window
image::wsug_graphics/ws-stats-srt-dcerpc-filter.png[{screenshot-attrs}]
You can optionally set a display filter, to reduce the amount of packets.
.The “DCE-RPC Statistic for ...” window
image::wsug_graphics/ws-stats-srt-dcerpc.png[{screenshot-attrs}]
Each row corresponds to a method of the interface selected (so the EPM interface
in version 3 has 7 methods). For each method the number of calls, and the
statistics of the SRT time is calculated.
[[ChStatDHCPBOOTP]]
=== DHCP (BOOTP) Statistics
{missing}
[[ChStatONCRPC]]
=== ONC-RPC Programs
{missing}
[[ChStat29West]]
=== 29West
{missing}
[[ChStatANCP]]
=== ANCP
{missing}
[[ChStatBACnet]]
=== BACnet
{missing}
[[ChStatCollectd]]
=== Collectd
{missing}
[[ChStatDNS]]
=== DNS
{missing}
[[ChStatFlowGraph]]
=== Flow Graph
{missing}
[[ChStatHARTIP]]
=== HART-IP
{missing}
[[ChStatHPFEEDS]]
=== HPFEEDS
{missing}
[[ChStatHTTP]]
=== HTTP Statistics
[[ChStatHTTPPacketCounter]]
==== HTTP Packet Counter
Statistics for HTTP request types and response codes.
[[ChStatHTTPRequests]]
==== HTTP Requests
HTTP statistics based on the host and URI.
[[ChStatHTTPLoadDistribution]]
==== HTTP Load Distribution
HTTP request and response statistics based on the server address and host.
[[ChStatHTTPRequestSequences]]
==== HTTP Request Sequences
HTTP Request Sequences uses HTTP's Referer and Location headers to sequence a
capture's HTTP requests as a tree. This enables analysts to see how one HTTP
request leads to the next.
.The “HTTP Request Sequences” window
image::wsug_graphics/ws-stats-http-requestsequences.png[{screenshot-attrs}]
[[ChStatHTTP2]]
=== HTTP2
{missing}
[[ChStatSametime]]
=== Sametime
{missing}
[[ChStatTCPStreamGraphs]]
=== TCP Stream Graphs
Show different visual representations of the TCP streams in a capture.
_Time Sequence (Stevens)_:: This is a simple graph of the TCP sequence
number over time, similar to the ones used in Richard Stevens “TCP/IP
Illustrated” series of books.
_Time Sequence (tcptrace)_:: Shows TCP metrics similar to the
http://www.tcptrace.org/[tcptrace] utility, including forward segments,
acknowledgements, selective acknowledgements, reverse window sizes, and
zero windows.
_Throughput_:: Average throughput and goodput.
_Round Trip Time_:: Round trip time vs time or sequence number. RTT is
based on the acknowledgement timestamp corresponding to a particular
segment.
_Window Scaling_:: Window size and outstanding bytes.
[[ChStatUDPMulticastGraphs]]
=== UDP Multicast Graphs
{missing}
[[ChStatF5]]
=== F5
{missing}
[[ChStatIPv4]]
=== IPv4 Statistics
{missing}
[[ChStatIPv6]]
=== IPv6 Statistics
{missing}
// End of WSUG Chapter Statistics
Reference in New Issue View Git Blame Copy Permalink