2 * dcerpcstat 2002 Ronnie Sahlberg
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
36 #include "epan/packet_info.h"
38 #include <epan/stat_cmd_args.h>
39 #include <epan/dissectors/packet-dcerpc.h>
41 #define MICROSECS_PER_SEC 1000000
42 #define NANOSECS_PER_SEC 1000000000
44 /* used to keep track of statistics for a specific procedure */
45 typedef struct _rpc_procedure_t {
53 /* used to keep track of the statistics for an entire program interface */
54 typedef struct _rpcstat_t {
59 guint32 num_procedures;
60 rpc_procedure_t *procedures;
66 dcerpcstat_packet(void *prs, packet_info *pinfo, epan_dissect_t *edt _U_, const void *pri)
68 const dcerpc_info *ri=pri;
76 if(!ri->call_data->req_frame){
77 /* we have not seen the request so we dont know the delta*/
80 if(ri->call_data->opnum>=rs->num_procedures){
81 /* dont handle this since its outside of known table */
85 /* we are only interested in reply packets */
86 if(ri->ptype != PDU_RESP){
90 /* we are only interested in certain program/versions */
91 if( (ri->call_data->uuid.Data1!=rs->uuid.Data1)
92 ||(ri->call_data->uuid.Data2!=rs->uuid.Data2)
93 ||(ri->call_data->uuid.Data3!=rs->uuid.Data3)
94 ||(ri->call_data->uuid.Data4[0]!=rs->uuid.Data4[0])
95 ||(ri->call_data->uuid.Data4[1]!=rs->uuid.Data4[1])
96 ||(ri->call_data->uuid.Data4[2]!=rs->uuid.Data4[2])
97 ||(ri->call_data->uuid.Data4[3]!=rs->uuid.Data4[3])
98 ||(ri->call_data->uuid.Data4[4]!=rs->uuid.Data4[4])
99 ||(ri->call_data->uuid.Data4[5]!=rs->uuid.Data4[5])
100 ||(ri->call_data->uuid.Data4[6]!=rs->uuid.Data4[6])
101 ||(ri->call_data->uuid.Data4[7]!=rs->uuid.Data4[7])
102 ||(ri->call_data->ver!=rs->ver)){
106 rp=&(rs->procedures[ri->call_data->opnum]);
108 /* calculate time delta between request and reply */
109 nstime_delta(&delta, &pinfo->fd->abs_ts, &ri->call_data->req_time);
112 rp->max.secs=delta.secs;
113 rp->max.nsecs=delta.nsecs;
117 rp->min.secs=delta.secs;
118 rp->min.nsecs=delta.nsecs;
121 if( (delta.secs<rp->min.secs)
122 ||( (delta.secs==rp->min.secs)
123 &&(delta.nsecs<rp->min.nsecs) ) ){
124 rp->min.secs=delta.secs;
125 rp->min.nsecs=delta.nsecs;
128 if( (delta.secs>rp->max.secs)
129 ||( (delta.secs==rp->max.secs)
130 &&(delta.nsecs>rp->max.nsecs) ) ){
131 rp->max.secs=delta.secs;
132 rp->max.nsecs=delta.nsecs;
135 rp->tot.secs += delta.secs;
136 rp->tot.nsecs += delta.nsecs;
137 if(rp->tot.nsecs > NANOSECS_PER_SEC){
138 rp->tot.nsecs -= NANOSECS_PER_SEC;
148 dcerpcstat_draw(void *prs)
154 printf("=======================================================================\n");
155 printf("%s Major Version %u SRT Statistics:\n", rs->prog, rs->ver);
156 printf("Filter: %s\n",rs->filter?rs->filter:"");
157 printf("Procedure Calls Min SRT Max SRT Avg SRT\n");
159 for(i=0;i<rs->num_procedures;i++){
160 /* Only display procs with non-zero calls */
161 if(rs->procedures[i].num==0){
164 /* Scale the average SRT in units of 1us and round to the nearest us. */
165 td = ((guint64)(rs->procedures[i].tot.secs)) * NANOSECS_PER_SEC + rs->procedures[i].tot.nsecs;
166 td = ((td / rs->procedures[i].num) + 500) / 1000;
168 printf("%-31s %6d %3d.%06d %3d.%06d %3" G_GINT64_MODIFIER "u.%06" G_GINT64_MODIFIER "u\n",
169 rs->procedures[i].proc,
170 rs->procedures[i].num,
171 (int)(rs->procedures[i].min.secs),(rs->procedures[i].min.nsecs+500)/1000,
172 (int)(rs->procedures[i].max.secs),(rs->procedures[i].max.nsecs+500)/1000,
173 td/MICROSECS_PER_SEC, td%MICROSECS_PER_SEC
176 printf("=======================================================================\n");
182 dcerpcstat_init(const char *optarg, void* userdata _U_)
185 guint32 i, max_procs;
186 dcerpc_sub_dissector *procs;
188 guint d1,d2,d3,d40,d41,d42,d43,d44,d45,d46,d47;
192 const char *filter=NULL;
193 GString *error_string;
196 * XXX - DCE RPC statistics are maintained only by major version,
197 * not by major and minor version, so the minor version number is
200 * Should we just stop supporting minor version numbers here?
201 * Or should we allow it to be omitted? Or should we keep
202 * separate statistics for different minor version numbers,
203 * and allow the minor version number to be omitted, and
204 * report aggregate statistics for all minor version numbers
208 "dcerpc,srt,%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x,%d.%d%n",
209 &d1,&d2,&d3,&d40,&d41,&d42,&d43,&d44,&d45,&d46,&d47,
210 &major,&minor,&pos)==13){
228 fprintf(stderr, "tshark: invalid \"-z dcerpc,srt,<uuid>,<major version>.<minor version>[,<filter>]\" argument\n");
231 if (major < 0 || major > 65535) {
232 fprintf(stderr,"tshark: dcerpcstat_init() Major version number %d is invalid - must be positive and <= 65535\n", major);
235 if (minor < 0 || minor > 65535) {
236 fprintf(stderr,"tshark: dcerpcstat_init() Minor version number %d is invalid - must be positive and <= 65535\n", minor);
241 rs=g_malloc(sizeof(rpcstat_t));
242 rs->prog=dcerpc_get_proto_name(&uuid, ver);
245 fprintf(stderr,"tshark: dcerpcstat_init() Protocol with uuid:%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x v%u not supported\n",uuid.Data1,uuid.Data2,uuid.Data3,uuid.Data4[0],uuid.Data4[1],uuid.Data4[2],uuid.Data4[3],uuid.Data4[4],uuid.Data4[5],uuid.Data4[6],uuid.Data4[7],ver);
248 procs=dcerpc_get_proto_sub_dissector(&uuid, ver);
253 rs->filter=g_strdup(filter);
258 for(i=0,max_procs=0;procs[i].name;i++){
259 if(procs[i].num>max_procs){
260 max_procs=procs[i].num;
263 rs->num_procedures=max_procs+1;
264 rs->procedures=g_malloc(sizeof(rpc_procedure_t)*(rs->num_procedures+1));
265 for(i=0;i<rs->num_procedures;i++){
267 rs->procedures[i].proc="unknown";
268 for(j=0;procs[j].name;j++){
270 rs->procedures[i].proc=procs[j].name;
273 rs->procedures[i].num=0;
274 rs->procedures[i].min.secs=0;
275 rs->procedures[i].min.nsecs=0;
276 rs->procedures[i].max.secs=0;
277 rs->procedures[i].max.nsecs=0;
278 rs->procedures[i].tot.secs=0;
279 rs->procedures[i].tot.nsecs=0;
282 error_string=register_tap_listener("dcerpc", rs, filter, 0, NULL, dcerpcstat_packet, dcerpcstat_draw);
284 /* error, we failed to attach to the tap. clean up */
285 g_free(rs->procedures);
289 fprintf(stderr, "tshark: Couldn't register dcerpc,srt tap: %s\n",
291 g_string_free(error_string, TRUE);
297 register_tap_listener_dcerpcstat(void)
299 register_stat_cmd_arg("dcerpc,srt,", dcerpcstat_init,NULL);