Tshark bug 1: The LOAD stat in the last row of the tshark output is inaccurate because rpc.time is divided by the full interval (10 secs) rather than limiting it to the capture duration (2.4 secs). In this example, the last interval is 3.25 outstanding requests but it should be 11.22 secs.

Current tshark version

============================================================================

IO Statistics

Interval: 10.000000 secs

Column #0: LOAD(rpc.time)rpc.time

| Column #0 |

Time | LOAD |

0000.000000-0010.000000 12.062890

0010.000000-0020.000000 12.332030

0020.000000-0030.000000 3.011328

============================================================================

Corrected tshark version

=================================

| IO Statistics |

| |

| Interval size: 10 secs |

| Col 1: LOAD(rpc.time)rpc.time |

|-------------------------------|

| |1 | |

| Interval | LOAD | |

|----------------------| |

| 0 <> 10 | 12.062890 | |

| 10 <> 20 | 12.332030 | |

| 20 <> 22 | 10.389490 | |

=================================

Tshark bug 2: The empty comma field (for outputting total frames and bytes) is ignored when it is the first field to be displayed.

Command: "C:\Program Files (x86)\Wireshark-1.7.2-current\tshark" -n -q -r smb2.cap –z io,stat,30,,FRAMES(),BYTES(),FRAMES()smb2.time,BYTES()smb2.time,smb2.time

Current version: ‘Frames | Bytes’ column is missing

===============================================================================================================================

IO Statistics

Interval: 30.000000 secs

Column #0: FRAMES()

Column #1: BYTES()

Column #2: FRAMES()smb2.time

Column #3: BYTES()smb2.time

Column #4: smb2.time

0000.000000-0030.000000 4283 8896923 285 6436866 285 6436866

0030.000000-0060.000000 4090 8168912 328 5615924 328 5615924

0060.000000-0090.000000 4794 9887687 362 7175660 362 7175660

0090.000000-0120.000000 3462 7122294 293 5422394 293 5422394

0120.000000-0150.000000 4873 10110030 402 7960616 402 7960616

0150.000000-0180.000000 616 1286485 43 924190 43 924190

===============================================================================================================================

Command: "C:\wireshark-1.7.2\wireshark-gtk2\tshark" -n -q -r smb2.cap –z io,stat,30,,FRAMES(),BYTES(),FRAMES()smb2.time,BYTES()smb2.time,smb2.time

Corrected version

============================================================================================

| IO Statistics |

| |

| Interval size: 30 secs |

| Col 1: Frames and bytes |

| 2: FRAMES() |

| 3: BYTES() |

| 4: FRAMES()smb2.time |

| 5: BYTES()smb2.time |

| 6: smb2.time |

|------------------------------------------------------------------------------------------|

| |1 |2 |3 |4 |5 |6 |

|------------------------------------------------------------------------------------------|

| 0 <> 30 | 4283 | 8896923 | 4283 | 8896923 | 285 | 6436866 | 285 | 6436866 |

| 30 <> 60 | 4090 | 8168912 | 4090 | 8168912 | 328 | 5615924 | 328 | 5615924 |

| 60 <> 90 | 4794 | 9887687 | 4794 | 9887687 | 362 | 7175660 | 362 | 7175660 |

| 90 <> 120 | 3462 | 7122294 | 3462 | 7122294 | 293 | 5422394 | 293 | 5422394 |

| 120 <> 150 | 4873 | 10110030 | 4873 | 10110030 | 402 | 7960616 | 402 | 7960616 |

| 150 <> 154 | 616 | 1286485 | 616 | 1286485 | 43 | 924190 | 43 | 924190 |

============================================================================================

Tshark bug 3: Intervals at the end of capture that contain no data are not displayed.

In the following example the capture duration is 12 seconds but the last four intervals of 8 to 12 secs are not displayed by tshark.

Current version

==============================================================================================================

IO Statistics

Interval: 1.000000 secs

Column #0: COUNT(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1

Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1

Column #2: MIN(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1

Column #3: MAX(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1

Column #4: AVG(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1

Time | COUNT | SUM | MIN | MAX | AVG |

0000.000000-0001.000000 138 4227072 4096 61440 30630

0001.000000-0002.000000 54 1712128 4096 61440 31706

0002.000000-0003.000000 0 0 0 0 0

0003.000000-0004.000000 0 0 0 0 0

0004.000000-0005.000000 0 0 0 0 0

0005.000000-0006.000000 152 4866048 4096 61440 32013

0006.000000-0007.000000 216 6963200 4096 61440 32237

0007.000000-0008.000000 101 3199222 4096 61440 31675

==============================================================================================================

Corrected

==================================================================================

| IO Statistics |

| |

| Interval size: 1 secs |

| Col 1: COUNT(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1 |

| 2: SUM(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1 |

| 3: MIN(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1 |

| 4: MAX(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1 |

| 5: AVG(smb.file.rw.length)smb.file.rw.length and smb.flags.response == 1 |

|--------------------------------------------------------------------------------|

| |1 |2 |3 |4 |5 | |

| Interval | COUNT | SUM | MIN | MAX | AVG | |

|----------------------------------------------------| |

| 0 <> 1 | 138 | 4227072 | 4096 | 61440 | 30630 | |

| 1 <> 2 | 54 | 1712128 | 4096 | 61440 | 31706 | |

| 2 <> 3 | 0 | 0 | 0 | 0 | 0 | |

| 3 <> 4 | 0 | 0 | 0 | 0 | 0 | |

| 4 <> 5 | 0 | 0 | 0 | 0 | 0 | |

| 5 <> 6 | 152 | 4866048 | 4096 | 61440 | 32013 | |

| 6 <> 7 | 216 | 6963200 | 4096 | 61440 | 32237 | |

| 7 <> 8 | 101 | 3199222 | 4096 | 61440 | 31675 | |

| 8 <> 9 | 0 | 0 | 0 | 0 | 0 | |

| 9 <> 10 | 0 | 0 | 0 | 0 | 0 | |

| 10 <> 11 | 0 | 0 | 0 | 0 | 0 | |

| 11 <> 12 | 0 | 0 | 0 | 0 | 0 | |

==================================================================================

Tshark bug 4: Floating point numbers are not properly aligned under their column headers.

Current

=============================================================================================

IO Statistics

Interval: 50.000000 secs

Column #0: COUNT(icmp.resptime)icmp.resptime

Column #1: SUM(icmp.resptime)icmp.resptime

Column #2: MAX(icmp.resptime)icmp.resptime

Column #3: AVG(icmp.resptime)icmp.resptime

Time | COUNT | SUM | MAX | AVG |

0000.000000-0050.000000 1 0.175000 0.175000 0.175000

0050.000000-0100.000000 1 0.198000 0.198000 0.198000

=============================================================================================

Corrected

=====================================================

| IO Statistics |

| |

| Interval size: 50 secs |

| Col 1: COUNT(icmp.resptime)icmp.resptime |

| 2: SUM(icmp.resptime)icmp.resptime |

| 3: MAX(icmp.resptime)icmp.resptime |

| 4: AVG(icmp.resptime)icmp.resptime |

|---------------------------------------------------|

| |1 |2 |3 |4 |

| Interval | COUNT | SUM | MAX | AVG |

|---------------------------------------------------|

| 0 <> 50 | 1 | 0.175000 | 0.175000 | 0.175000 |

| 50 <> 85 | 1 | 0.198000 | 0.198000 | 0.198000 |

=====================================================

Tshark Enhancements

In the current version:

· The length of each column in the table is set to a fixed width of 15 characters which often causes the table to wrap when more than five or six columns.

· The filters do no wrap on a space which reduces readability.

· Column numbers begin at zero rather than one which is great for computers but less so for humans.

Current version

======================================================================================================================================================

==============================================================

IO Statistics

Interval: 5.000000 secs

Column #0: COUNT(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.1

9.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #1: MIN(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #2: MAX(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #3: AVG(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #4: LOAD(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19

.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #5: COUNT(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.1

9.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #6: MIN(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #7: MAX(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #8: AVG(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19.

25) and not (ip.addr==128.222.18.81&& ip.addr==128.222.18.255)

Column #9: LOAD(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.19

.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

Column #10: LOAD(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 and ip.addr==128.222.1

9.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255)

lumn #7 | Column #8 | Column #9 | Column #10 |

Time | COUNT | MIN | MAX | AVG | LOAD | COUNT | MIN |

MAX | AVG | LOAD | LOAD |

0000.000000-0005.000000 192 0.001265 0.010594 0.003924 0.150670 192 0.001265

0.010594 0.003924 0.150670 0.150670

0005.000000-0010.000000 469 0.001270 0.010398 0.004016 0.376744 469 0.001270

0.010398 0.004016 0.376744 0.376744

0010.000000-0015.000000 6 0.000334 0.017736 0.006244 0.007492 6 0.000334

0.017736 0.006244 0.007492 0.007492

======================================================================================================================================================

==============================================================

Enhanced version

1. Column widths are determined by the maximum magnitude of their values which allows for more stats to be displayed per row.

2. To improve readability, filters wrap at 102 chars or the table width, whichever is greater, and wrap on the nearest space. An option could easily be added to alter the 102-char limit.

3. Column numbers start at 1 instead of 0.

4. The columns and entire output are enclosed in a border for improved presentability in reports. In order to import the table into a spreadsheet, simply specify the vertical bar as the data delimiter.

===============================================================================================================================

| IO Statistics |

| |

| Interval size: 5 secs |

| Col 1: COUNT(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not |

| (ip.addr==128.222.18.74 and ip.addr==128.222.19.25) and not (ip.addr==128.222.18.81 and ip.addr==128.222.18.255) |

| 2: MIN(smb.time)smb.time and not (ip.addr==128.222.18.61 and ip.addr==128.222.18.255) and not (ip.addr==128.222.18.74 |