559 lines
15 KiB
Plaintext
559 lines
15 KiB
Plaintext
// WSUG Chapter Statistics
|
||
|
||
[[ChStatistics]]
|
||
|
||
== Statistics
|
||
|
||
[[ChStatIntroduction]]
|
||
|
||
=== Introduction
|
||
|
||
Wireshark provides a wide range of network statistics which can be accessed via
|
||
the menu:Statistics[] menu.
|
||
|
||
These statistics range from general information about the loaded capture file
|
||
(like the number of captured packets), to statistics about specific protocols
|
||
(e.g. statistics about the number of HTTP requests and responses captured).
|
||
|
||
* General statistics:
|
||
|
||
- *Capture File Properties* about the capture file.
|
||
|
||
- *Protocol Hierarchy* of the captured packets.
|
||
|
||
- *Conversations* e.g. traffic between specific IP addresses.
|
||
|
||
- *Endpoints* e.g. traffic to and from an IP addresses.
|
||
|
||
- *IO Graphs* visualizing the number of packets (or similar) in time.
|
||
|
||
* Protocol specific statistics:
|
||
|
||
- *Service Response Time* between request and response of some protocols.
|
||
|
||
- Various other protocol specific statistics.
|
||
|
||
[NOTE]
|
||
====
|
||
The protocol specific statistics require detailed knowledge about the specific
|
||
protocol. Unless you are familiar with that protocol, statistics about it will
|
||
be pretty hard to understand.
|
||
====
|
||
|
||
Wireshark has many other statistics windows that display detailed
|
||
information about specific protocols and might be described in a later
|
||
version of this document.
|
||
|
||
Some of these statistics are described at
|
||
{wireshark-wiki-url}Statistics.
|
||
|
||
[[ChStatSummary]]
|
||
|
||
=== The “Capture File Properties” Window
|
||
|
||
General statistics about the current capture file.
|
||
|
||
.The “Capture File Properties” window
|
||
image::wsug_graphics/ws-stats-summary.png[{screenshot-attrs}]
|
||
|
||
* __File__: general information about the capture file.
|
||
|
||
* __Time__: the timestamps when the first and the last packet were captured (and
|
||
the time between them).
|
||
|
||
* __Capture__: information from the time when the capture was done (only
|
||
available if the packet data was captured from the network and not loaded from
|
||
a file).
|
||
|
||
* __Interface__: information about the capture interface.
|
||
|
||
* __Statistics__: some statistics of the network traffic seen. If a display
|
||
filter is set, you will see values in the Captured column, and if any
|
||
packages are marked, you will see values in the Marked column. The values
|
||
in the _Captured_ column will remain the same as before, while the values
|
||
in the _Displayed_ column will reflect the values corresponding to the
|
||
packets shown in the display. The values in the _Marked_ column will
|
||
reflect the values corresponding to the marked packages.
|
||
|
||
[[ChStatResolvedAddresses]]
|
||
|
||
=== Resolved Addresses
|
||
|
||
{missing}
|
||
|
||
[[ChStatHierarchy]]
|
||
|
||
=== The “Protocol Hierarchy” Window
|
||
|
||
The protocol hierarchy of the captured packets.
|
||
|
||
.The “Protocol Hierarchy” Window
|
||
image::wsug_graphics/ws-stats-hierarchy.png[{screenshot-attrs}]
|
||
|
||
This is a tree of all the protocols in the capture. Each row contains the
|
||
statistical values of one protocol. Two of the columns (_Percent Packets_ and
|
||
_Percent Bytes_) serve double duty as bar graphs. If a display filter is set it
|
||
will be shown at the bottom.
|
||
|
||
The btn:[Copy] button will let you copy the window contents as CSV or YAML.
|
||
|
||
.Protocol hierarchy columns
|
||
|
||
_Protocol_:: This protocol’s name
|
||
|
||
_Percent Packets_:: The percentage of protocol packets relative to all packets in
|
||
the capture
|
||
|
||
_Packets_:: The total number of packets of this protocol
|
||
|
||
_Percent Bytes_:: The percentage of protocol bytes relative to the total bytes in
|
||
the capture
|
||
|
||
_Bytes_:: The total number of bytes of this protocol
|
||
|
||
_Bits/s_:: The bandwidth of this protocol relative to the capture time
|
||
|
||
_End Packets_:: The absolute number of packets of this protocol where it
|
||
was the highest protocol in the stack (last dissected)
|
||
|
||
_End Bytes_:: The absolute number of bytes of this protocol where it
|
||
was the highest protocol in the stack (last dissected)
|
||
|
||
_End Bits/s_:: The bandwidth of this protocol relative to the capture time where
|
||
was the highest protocol in the stack (last dissected)
|
||
|
||
Packets usually contain multiple protocols. As a result more than one protocol will
|
||
be counted for each packet. Example: In the screenshot IP has 99.9% and TCP
|
||
98.5% (which is together much more than 100%).
|
||
|
||
Protocol layers can consist of packets that won’t contain any higher layer
|
||
protocol, so the sum of all higher layer packets may not sum up to the protocols
|
||
packet count. Example: In the screenshot TCP has 98.5% but the sum of the
|
||
subprotocols (TLS, HTTP, etc) is much less. This can be caused by continuation
|
||
frames, TCP protocol overhead, and other undissected data.
|
||
|
||
A single packet can contain the same protocol more than once. In this case, the
|
||
protocol is counted more than once. For example ICMP replies and many tunneling
|
||
protocols will carry more than one IP header.
|
||
|
||
[[ChStatConversations]]
|
||
|
||
=== Conversations
|
||
|
||
A network conversation is the traffic between two specific endpoints. For
|
||
example, an IP conversation is all the traffic between two IP addresses. The
|
||
description of the known endpoint types can be found in
|
||
<<ChStatEndpoints>>.
|
||
|
||
[[ChStatConversationsWindow]]
|
||
|
||
==== The “Conversations” Window
|
||
|
||
The conversations window is similar to the endpoint Window. See
|
||
<<ChStatEndpointsWindow>> for a description of their common features. Along with
|
||
addresses, packet counters, and byte counters the conversation window adds four
|
||
columns: the start time of the conversation (“Rel Start”) or (“Abs Start”),
|
||
the duration of the conversation in seconds, and the average bits (not bytes)
|
||
per second in each direction. A timeline graph is also drawn across the
|
||
“Rel Start” / “Abs Start” and “Duration” columns.
|
||
|
||
.The “Conversations” window
|
||
image::wsug_graphics/ws-stats-conversations.png[{screenshot-attrs}]
|
||
|
||
Each row in the list shows the statistical values for exactly one conversation.
|
||
|
||
_Name resolution_ will be done if selected in the window and if it is active for
|
||
the specific protocol layer (MAC layer for the selected Ethernet endpoints
|
||
page). _Limit to display filter_ will only show conversations matching the
|
||
current display filter. _Absolute start time_ switches the start time column
|
||
between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start
|
||
times match the “Seconds Since Beginning of Capture” time display format in the
|
||
packet list and absolute start times match the “Time of Day” display format.
|
||
|
||
The btn:[Copy] button will copy the list values to the clipboard in CSV
|
||
(Comma Separated Values) or YAML format. The btn:[Follow Stream...] button
|
||
will show the stream contents as described in <<ChAdvFollowStream>> dialog. The
|
||
btn:[Graph...] button will show a graph as described in <<ChStatIOGraphs>>.
|
||
|
||
btn:[Conversation Types] lets you choose which traffic type tabs are shown.
|
||
See <<ChStatEndpoints>> for a list of endpoint types. The enabled types
|
||
are saved in your profile settings.
|
||
|
||
[TIP]
|
||
====
|
||
This window will be updated frequently so it will be useful even if you open
|
||
it before (or while) you are doing a live capture.
|
||
====
|
||
|
||
// Removed:
|
||
// [[ChStatConversationListWindow]]
|
||
|
||
[[ChStatEndpoints]]
|
||
|
||
=== Endpoints
|
||
|
||
A network endpoint is the logical endpoint of separate protocol traffic of a
|
||
specific protocol layer. The endpoint statistics of Wireshark will take the
|
||
following endpoints into account:
|
||
|
||
[TIP]
|
||
====
|
||
If you are looking for a feature other network tools call a _hostlist_, here is
|
||
the right place to look. The list of Ethernet or IP endpoints is usually what
|
||
you’re looking for.
|
||
====
|
||
|
||
.Endpoint and Conversation types
|
||
|
||
_Bluetooth_:: A MAC-48 address similar to Ethernet.
|
||
|
||
_Ethernet_:: Identical to the Ethernet device’s MAC-48 identifier.
|
||
|
||
_Fibre Channel_:: A MAC-48 address similar to Ethernet.
|
||
|
||
_IEEE 802.11_:: A MAC-48 address similar to Ethernet.
|
||
|
||
_FDDI_:: Identical to the FDDI MAC-48 address.
|
||
|
||
_IPv4_:: Identical to the 32-bit IPv4 address.
|
||
|
||
_IPv6_:: Identical to the 128-bit IPv6 address.
|
||
|
||
_IPX_:: A concatenation of a 32 bit network number and 48 bit node address, by
|
||
default the Ethernet interface’s MAC-48 address.
|
||
|
||
_JXTA_:: A 160 bit SHA-1 URN.
|
||
|
||
_NCP_:: Similar to IPX.
|
||
|
||
_RSVP_:: A combination of varios RSVP session attributes and IPv4 addresses.
|
||
|
||
_SCTP_:: A combination of the host IP addresses (plural) and
|
||
the SCTP port used. So different SCTP ports on the same IP address are different
|
||
SCTP endpoints, but the same SCTP port on different IP addresses of the same
|
||
host are still the same endpoint.
|
||
|
||
_TCP_:: A combination of the IP address and the TCP port used.
|
||
Different TCP ports on the same IP address are different TCP endpoints.
|
||
|
||
_Token Ring_:: Identical to the Token Ring MAC-48 address.
|
||
|
||
_UDP_:: A combination of the IP address and the UDP port used, so different UDP
|
||
ports on the same IP address are different UDP endpoints.
|
||
|
||
_USB_:: Identical to the 7-bit USB address.
|
||
|
||
[NOTE]
|
||
.Broadcast and multicast endpoints
|
||
====
|
||
Broadcast and multicast traffic will be shown separately as additional
|
||
endpoints. Of course, as these aren’t physical endpoints the real traffic
|
||
will be received by some or all of the listed unicast endpoints.
|
||
====
|
||
|
||
[[ChStatEndpointsWindow]]
|
||
|
||
==== The “Endpoints” Window
|
||
|
||
This window shows statistics about the endpoints captured.
|
||
|
||
.The “Endpoints” window
|
||
image::wsug_graphics/ws-stats-endpoints.png[{screenshot-attrs}]
|
||
|
||
For each supported protocol, a tab is shown in this window. Each tab label shows
|
||
the number of endpoints captured (e.g. the tab label “Ethernet · 4” tells
|
||
you that four ethernet endpoints have been captured). If no endpoints of a
|
||
specific protocol were captured, the tab label will be greyed out (although the
|
||
related page can still be selected).
|
||
|
||
Each row in the list shows the statistical values for exactly one endpoint.
|
||
|
||
_Name resolution_ will be done if selected in the window and if it is
|
||
active for the specific protocol layer (MAC layer for the selected
|
||
Ethernet endpoints page). _Limit to display filter_ will only show
|
||
conversations matching the current display filter. Note that in this
|
||
example we have MaxMind DB configured which gives us extra geographic
|
||
columns. See <<ChMaxMindDbPaths>> for more information.
|
||
|
||
The btn:[Copy] button will copy the list values to the clipboard in CSV
|
||
(Comma Separated Values) or YAML format. The btn:[Map] button will show the
|
||
endpoints mapped in your web browser.
|
||
|
||
btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See
|
||
<<ChStatEndpoints>> above for a list of endpoint types. The enabled
|
||
types are saved in your profile settings.
|
||
|
||
[TIP]
|
||
====
|
||
This window will be updated frequently, so it will be useful even if you open
|
||
it before (or while) you are doing a live capture.
|
||
====
|
||
|
||
// Removed:
|
||
// [[ChStatEndpointListWindow]]
|
||
|
||
|
||
[[ChStatPacketLengths]]
|
||
|
||
=== Packet Lengths
|
||
|
||
{missing}
|
||
|
||
[[ChStatIOGraphs]]
|
||
|
||
=== The “I/O Graph” Window
|
||
|
||
User configurable graph of the captured network packets.
|
||
|
||
You can define up to five differently colored graphs.
|
||
|
||
.The “IO Graphs” window
|
||
image::wsug_graphics/ws-stats-iographs.png[{screenshot-attrs}]
|
||
|
||
The user can configure the following things:
|
||
|
||
* _Graphs_
|
||
|
||
- __Graph 1-5__: enable the specific graph 1-5 (only graph 1 is enabled by default)
|
||
|
||
- __Color__: the color of the graph (cannot be changed)
|
||
|
||
- __Filter__: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
|
||
|
||
- __Style__: the style of the graph (Line/Impulse/FBar/Dot)
|
||
|
||
* _X Axis_
|
||
|
||
- __Tick interval__: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
|
||
|
||
- __Pixels per tick__: use 10/5/2/1 pixels per tick interval
|
||
|
||
- __View as time of day__: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
|
||
|
||
* _Y Axis_
|
||
|
||
- __Unit__: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...) [XXX - describe the Advanced feature.]
|
||
|
||
- __Scale__: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...)
|
||
|
||
The btn:[Save] button will save the currently displayed portion of the graph as one
|
||
of various file formats.
|
||
|
||
The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV
|
||
(Comma Separated Values) format.
|
||
|
||
|
||
[TIP]
|
||
====
|
||
Click in the graph to select the first package in the selected interval.
|
||
====
|
||
|
||
[[ChStatSRT]]
|
||
|
||
=== Service Response Time
|
||
|
||
The service response time is the time between a request and the corresponding
|
||
response. This information is available for many protocols.
|
||
|
||
Service response time statistics are currently available for the following protocols:
|
||
|
||
* _DCE-RPC_
|
||
|
||
* _Fibre Channel_
|
||
|
||
* _H.225 RAS_
|
||
|
||
* _LDAP_
|
||
|
||
* _LTE MAC_
|
||
|
||
* _MGCP_
|
||
|
||
* _ONC-RPC_
|
||
|
||
* _SMB_
|
||
|
||
As an example, the DCE-RPC service response time is described in more detail.
|
||
|
||
[NOTE]
|
||
====
|
||
The other Service Response Time windows will work the same way (or only slightly
|
||
different) compared to the following description.
|
||
====
|
||
|
||
[[ChStatSRTDceRpc]]
|
||
|
||
==== The “Service Response Time DCE-RPC” Window
|
||
|
||
The service response time of DCE-RPC is the time between the request and the
|
||
corresponding response.
|
||
|
||
First of all, you have to select the DCE-RPC interface:
|
||
|
||
.The “Compute DCE-RPC statistics” window
|
||
image::wsug_graphics/ws-stats-srt-dcerpc-filter.png[{screenshot-attrs}]
|
||
|
||
You can optionally set a display filter, to reduce the amount of packets.
|
||
|
||
.The “DCE-RPC Statistic for ...” window
|
||
image::wsug_graphics/ws-stats-srt-dcerpc.png[{screenshot-attrs}]
|
||
|
||
Each row corresponds to a method of the interface selected (so the EPM interface
|
||
in version 3 has 7 methods). For each method the number of calls, and the
|
||
statistics of the SRT time is calculated.
|
||
|
||
[[ChStatDHCPBOOTP]]
|
||
|
||
=== DHCP (BOOTP) Statistics
|
||
|
||
{missing}
|
||
|
||
[[ChStatONCRPC]]
|
||
|
||
=== ONC-RPC Programs
|
||
|
||
{missing}
|
||
|
||
[[ChStat29West]]
|
||
|
||
=== 29West
|
||
|
||
{missing}
|
||
|
||
[[ChStatANCP]]
|
||
|
||
=== ANCP
|
||
|
||
{missing}
|
||
|
||
[[ChStatBACnet]]
|
||
|
||
=== BACnet
|
||
|
||
{missing}
|
||
|
||
[[ChStatCollectd]]
|
||
|
||
=== Collectd
|
||
|
||
{missing}
|
||
|
||
[[ChStatDNS]]
|
||
|
||
=== DNS
|
||
|
||
{missing}
|
||
|
||
[[ChStatFlowGraph]]
|
||
|
||
=== Flow Graph
|
||
|
||
{missing}
|
||
|
||
[[ChStatHARTIP]]
|
||
|
||
=== HART-IP
|
||
|
||
{missing}
|
||
|
||
[[ChStatHPFEEDS]]
|
||
|
||
=== HPFEEDS
|
||
|
||
{missing}
|
||
|
||
[[ChStatHTTP]]
|
||
|
||
=== HTTP Statistics
|
||
|
||
[[ChStatHTTPPacketCounter]]
|
||
|
||
==== HTTP Packet Counter
|
||
|
||
Statistics for HTTP request types and response codes.
|
||
|
||
[[ChStatHTTPRequests]]
|
||
|
||
==== HTTP Requests
|
||
|
||
HTTP statistics based on the host and URI.
|
||
|
||
[[ChStatHTTPLoadDistribution]]
|
||
|
||
==== HTTP Load Distribution
|
||
|
||
HTTP request and response statistics based on the server address and host.
|
||
|
||
[[ChStatHTTPRequestSequences]]
|
||
|
||
==== HTTP Request Sequences
|
||
|
||
HTTP Request Sequences uses HTTP's Referer and Location headers to sequence a
|
||
capture's HTTP requests as a tree. This enables analysts to see how one HTTP
|
||
request leads to the next.
|
||
|
||
.The “HTTP Request Sequences” window
|
||
image::wsug_graphics/ws-stats-http-requestsequences.png[{screenshot-attrs}]
|
||
|
||
|
||
[[ChStatHTTP2]]
|
||
|
||
=== HTTP2
|
||
|
||
{missing}
|
||
|
||
[[ChStatSametime]]
|
||
|
||
=== Sametime
|
||
|
||
{missing}
|
||
|
||
[[ChStatTCPStreamGraphs]]
|
||
|
||
=== TCP Stream Graphs
|
||
|
||
Show different visual representations of the TCP streams in a capture.
|
||
|
||
_Time Sequence (Stevens)_:: This is a simple graph of the TCP sequence
|
||
number over time, similar to the ones used in Richard Stevens’ “TCP/IP
|
||
Illustrated” series of books.
|
||
|
||
_Time Sequence (tcptrace)_:: Shows TCP metrics similar to the
|
||
http://www.tcptrace.org/[tcptrace] utility, including forward segments,
|
||
acknowledgements, selective acknowledgements, reverse window sizes, and
|
||
zero windows.
|
||
|
||
_Throughput_:: Average throughput and goodput.
|
||
|
||
_Round Trip Time_:: Round trip time vs time or sequence number. RTT is
|
||
based on the acknowledgement timestamp corresponding to a particular
|
||
segment.
|
||
|
||
_Window Scaling_:: Window size and outstanding bytes.
|
||
|
||
[[ChStatUDPMulticastGraphs]]
|
||
|
||
=== UDP Multicast Graphs
|
||
|
||
{missing}
|
||
|
||
[[ChStatF5]]
|
||
|
||
=== F5
|
||
|
||
{missing}
|
||
|
||
[[ChStatIPv4]]
|
||
|
||
=== IPv4 Statistics
|
||
|
||
{missing}
|
||
|
||
[[ChStatIPv6]]
|
||
|
||
=== IPv6 Statistics
|
||
|
||
{missing}
|
||
|
||
// End of WSUG Chapter Statistics
|