forked from noahdavids/packet-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
average.sh.html
98 lines (85 loc) · 2.97 KB
/
average.sh.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252" />
<title>average.sh Information</title>
</head>
<body background="concret.jpg">
<center>
<h1>average.sh Information</h1>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
</center>
<p>
This is a shell script that uses tshark to read a trace file, extract out a tshark variable and
average the value. It is just a shell script that executes tshark extracts out the variable and then
pipes it to awk to calculate the average.
<p>
<b><h3>Usage</h3></b>
average.sh FILE-NAME TSHARK-FILTER TSHARK-VARIABLE
<br><br>
<b>FILE-NAME</b>
<br>
The file name (or path to the file), This file must be reabale by tshark.
<br><br>
<b>TSHARK-FILTER</b>
<br>
This is the tshark filter (including either -R or -Y, depending on release) used to select a subnet
of the packets in the trace file. You must provide this filter. If you want to average over all packets
in the file you can do something like "-Y frame.number > 0". Note this argument must be enclosed in quotes.
<br><br>
<b>TSHARK-VARIABLE</b>
</br>
This is the variable to be average
<br><br>
<b><h3>Examples</h3></b>
Average the HTTP response time from a server
<br><br>
<center>
<table border=5>
<tr><td align=left>
<pre>
$ ./average.sh test.pcap "-Y http.time && ip.src == 172.16.1.11 && ip.dst == 17
2.16.1.200" http.time
tshark -r test.pcap "-Y http.time && ip.src == 172.16.1.11 && ip.dst == 172.16.
1.200" -T fields -e http.time | awk '{sum += $1; n++} END { print sum, "/", n,
"=", sum / n}'
0.778597 / 4 = 0.194649
</pre>
</td></tr>
</table>
Figure 1 - averaged HTTP response time
</center>
<p>
Average the delta time between frames for a given IP address
<br><br>
<center>
<table border=5>
<tr><td align=left>
<pre>
$ ./average.sh /pacp-library/test2.pcap "-Y ip.src == 172.16.1.200" frame.time_
delta_displayed
tshark -r /pacp-library/test2.pcap "-Y ip.src == 172.16.1.200" -T fields -e fra
me.time_delta_displayed | awk '{sum += $1; n++} END { print sum, "/", n, "=", s
um / n}'
10.4508 / 39 = 0.267969
</pre>
</td></tr>
</table>
Figure 2 - averaged delta time between frames
</center>
<p>
You can find this script at <a href="https://github.com/noahdavids/packet-analysis/blob/master/average.sh">average.sh</a>
<br /><br />
<h5><center>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
<br />
This page was last modified on 18-04-25</h5>
</center>
<a href="mailto:[email protected]"><img src="mailbox.gif" width="32" height="32" alt="mailbox" align="left" hspace=3>
Send comments and suggestions
<br />
</a>
</body>
</html>