----- Original Message ----- From: "Ian Schorr" Sent: Saturday, January 11, 2003 7:35 AM Subject: Re: [Ethereal-users] Ethereal Top Talkers - Other reporting info?
> As long as we're talking about new features =) > > How about reporting of Application Response Time within the decode pane? > (ART as in end-of-call to beginning-of-response delta times, not > call-to-next-UDP-segment-from-server or call-to-TCP-ACK as Sniffer > calculates it =) > > Graphs would be nice, but ideally I'd like to be able to add a column to > the decode pane that displays ART calculations. Better yet, columns for > call-to-response, end-of-response to beginning-of-next-call, number of > calls outstanding (unanswered by the server), etc. VERY useful > statistics when trying to troubleshoot any kind of performance issue. > > Is this possible now, and I just don't realize it? > Yes. All ONC-RPC and DCE-RPC based protocols that ethereal supports will put ART value in teh decode pane. SMB packets will also put ART value in the decode pane. These ART values are the difference in time between the request and response packet as ethereal saw the packets and is not calculated on lower layer ack packets. (TCP time to acvk values can be calculated for all TCP sessions if one also enables the option: TCP/Analyze TCP seuqnce numbers. This option for TCP is disabled by default since it creates extra state inside ehtereal and thus requires more runtime memory and makes ethereal (unnoticeable) slower) All the ART times are always enabled though and can not be disabled. Load an SMB capture into ethereal and look in the SMB header for a reply packet: IF ethereal has been able to match the reply to a request packet it will have these two lines in the decode pane under the SMB Header Response to: x Time from request: 0.xxx seconds Rightclicking on the Response to: line will offer you the option to GoTo the request packet. The Time from request line has a display filter name smb.time and you can filter for example smb.time>0.020 if you want to see say all SMB response packets where the ART took more than 20ms. Same thing is available for all ONC-RPC (NFS, NLM, ... )and DCE-RPC (SAMR, NETLOGON,...), and works regardless of what transport is used. (If a tool base this hardcoded on TCP-ACK values this would be a bug making the feature useless and time to invoke the support contract to get it fixed.) There may be other protocols as well where this is also implemented. Probably are but I dont remember which off the top of my head. If this feature is missing from a request/response dissector in ethereal it is very easy to add it. It mainly consists of adding state tracking to match requests with responses and keep track of timestamps. Good examples on how this is done can be found in say packet-rpc.c If you want ethereal to produce a graph over how the ART changes over time this can be done as well using IO-Stat graphing. see man page for ethereal. I myself from time to time use this to do Select Graph type Advanced Specify filter as nfs&&rpc.time specify field as rpc.time hten specify MAX/MIN/AVG respectively for the three first graphs. This provides a simple graph where MAX() nfs ART, MIN() nfs ART and AVG() nfs ART will be calculated for each measurement interval and plotted. This provides a simple way to see how MAX/MIN/AVG changes over time. MAX/MIN/AVG for time fields are always plotted in units of ms. If you do this, please donate a nice graph to the ethereal web page. If you want to process and produce the graphs in external packages you can do that as well using tethereal. Run tethereal using -z proto,colinfo,... option (see manpage) to put say smb.time on the output line for each packet (where it is available) and maybe whatever other fields you need. then just use a script to exctract whatever data you need and want from tethereal output. Plead for contribution: Oh, perhaps if you really find this useful you might be willing and have time to put together a brief nice user manual on how to do ART filtering and graphing in ethereal? Many would find this very useful features if they just know how it works. I could do it myself but, english is not my first language and i just can not write good and consice texts for human readers
