subject:"\[Wireshark\-bugs\] \[Bug 11920\] IO Graph\: NFS\/RPC not congruent with underlaying TCP"

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2016-12-03 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

Jim Young  changed:

   What|Removed |Added

 Status|INCOMPLETE  |RESOLVED
 CC||jyo...@gsu.edu
 Resolution|--- |NOTABUG

--- Comment #10 from Jim Young  ---
Hello Carsten,

The reason that the "NFS" and "RPC" bytes/sec graphs are so much lower than the
"Stream 0" graph is because your trace contains many fewer NFS and RPC frames
than it does TCP frames!

In your sample trace (thanks) 100% of the packets match the display filter of
"tcp.stream==0" but only 6.9% of the frames match a display filter of "rpc" or
of "nfs".

>From your screen shots you've configured the IO Graph to plot three different
graphs.

#1 - a count of the bytes (per second) for "tcp.stream==0" frames
#2 - a count of the bytes (per second) for "nfs" frames
#3 - a count of the bytes (per second) for "rpc" frames

These IO graphs simply plot the sum of the frame lengths of the packets that
match each of the filters for the configured time interval (in this case one
second).

Obviously what you want really want to plot is the lengths of RPC and NFS
packets.

As you are aware NFS is encapsulated in RPC and in this case RPC is
encapsulated in TCP.  But each RPC packet is sent in multiple TCP segments. 
The complete set of TCP segments must be reassembled to create the original
RPC/NFS packet.  Wireshark only displays the reassembled RPC/NFS packet in the
last packet of each reassembled TCP segment train.  So only the last TCP packet
of each TCP segment train ends up matching the display filters of "nfs" or
"rpc".

I believe you can achieve your objective by plotting the
"tcp.reassembled.length",
"rpc.fraglen" and/or perhaps the "nfs.count3" field values. 

To generate a graph of the RPC bytes per second configure the "Display Filter"
field with the value "rpc", the "Y Axis" field with the formula "Sum(Y Field)"
and the "Y Field" with the field value "tcp.reassembled.length".  This will
plot the length of the complete RPC packet including the RPC header.

To generate a graph of the NFS bytes per second configure the "Display Filter"
field with the value "nfs", the "Y Axis" field with the formula "Sum(Y Field)"
and the "Y Field" with the field value "rpc.fraglen".  I'm no RPC/NFS expert
but this appears to plot the length of the complete NFS packet including the
NFS header.

It becomes a little harder to generate a graph of just the NFS payload bytes
per second.   If you configure a "Display Filter" field value of "nfs" and
the"Y Axis" field with the formula "Sum(Y Field)" and the "Y Field" with the
field value "nfs.count3" you will see a plot twice as high as expected.  This
is because the field "nfs.count3" exists both in the NFS WRITE Call packets and
the and NFS Write Reply packets.  To generate a graph more in line with the
actual bytes transmitted you could simply augment the "Display Filter" field
with something like "nfs && ip.src==", where  is the host
that is transmitting the file.

To help illustrate the differences in these three field's values you might want
to add Custom Columns to Wireshark's Packet List for "tcp.reassembled.length",
"rpc.fraglen" and "nfs.count3".  This will allow you to compare the three
values side by side and determine which value(s) might be best for your needs. 
Displaying them in the Custom Column in this manner will also help with
understanding why simply plotting the "nfs.count3" could result in a plot twice
as high as expected. 

With the modified IO Graph Y Axis and Y Field value in place I believe you will
see the IO Graph congruency you expect.

If you believe this analysis is incorrect please feel free to reopen this bug.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2016-12-01 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

--- Comment #9 from Carsten Grohmann  ---
Hi Wireshark Developer,

Unfortunately I dropped the the initial pcap file also. 

Today I've repeated the test and the issue is still present in current
Wireshark (2.2.2). 

The new attached screenshot still shows the difference between the TCP stream
and the NFS/RPC streams.

Steps to reproduce:
1. Create a file with 300MB size
2. Start capturing network traffic
3. Copy the file to a NFS server
4. Stop capturing
5. Analyse the capture file 

I can provide access to the new created pcap file within a private email.

Regards,
Carsten

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2016-12-01 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

--- Comment #8 from Carsten Grohmann  ---
Created attachment 15097
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15097=edit
IO Graph example with Wireshark 2.2.2

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2016-11-25 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

--- Comment #7 from Alexis La Goutte  ---
(In reply to Michael Mann from comment #6)
> (In reply to Carsten Grohmann from comment #5)
> > I've shared a download link to a pcap file within a private email to Alexis.
> 
> Any progress Alexis?  Can we move back to CONFIRMED or have you fixed this
> in the mean time?

I need to refound the pcap... (it is a temporary link) and don't remember to
have fix this issue...

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2016-11-25 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

Michael Mann  changed:

   What|Removed |Added

 CC||mman...@netscape.net

--- Comment #6 from Michael Mann  ---
(In reply to Carsten Grohmann from comment #5)
> I've shared a download link to a pcap file within a private email to Alexis.

Any progress Alexis?  Can we move back to CONFIRMED or have you fixed this in
the mean time?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2015-12-29 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

Carsten Grohmann  changed:

   What|Removed |Added

  Attachment #14178|0   |1
is obsolete||

--- Comment #3 from Carsten Grohmann  ---
Created attachment 14185
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14185=edit
IO Graph example with Wireshark 2.0.1rc0-215

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2015-12-29 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

--- Comment #2 from Carsten Grohmann  ---
Created attachment 14184
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14184=edit
IO Graph example with Wireshark 1.12.8

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2015-12-29 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

--- Comment #4 from Carsten Grohmann  ---
Hi Alexis,

the issue occurs with Wireshark 1.12.8 also. 
I've prepared a pcap file, but I still wait for a approval to share the file
with you.

I won't attach the pcap file to this bug report. Instead I would store it on a
web share and send you the link to your gmail address. Is this ok?

Regards,
Carsten

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

2015-12-23 Thread bugzilla-daemon

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11920

Alexis La Goutte  changed:

   What|Removed |Added

 Status|UNCONFIRMED |INCOMPLETE
 CC||alexis.lagou...@gmail.com
 Ever confirmed|0   |1

--- Comment #1 from Alexis La Goutte  ---
Hi Carsten,

It is possible to attach your pcap ?

Do you have the same issue with older release ? (1.12.x ?)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

[Wireshark-bugs] [Bug 11920] IO Graph: NFS/RPC not congruent with underlaying TCP

9 matches

Site Navigation

Mail list logo

Footer information