-SUM(<field>) can only be used on named fields of integer type.
-This will sum together every occurence of this fields value for each interval.
-
-Example: B<-z io,stat,0.010,SUM(frame.pkt_len)frame.pkt_len>
-
-This will report the total number of bytes seen in all the packets within
-an interval.
-
-MIN/MAX/AVG(<field>) can only be used on named fields that are either
-integers or relative time fields. This will calculate maximum/minimum
-or average seen in each interval. If the field is a relative time field
-the output will be presented in seconds and three digits after the
-decimal point. The resolution for time calculations is 1ms and anything
-smaller will be truncated.
-
-Example: B<-z "io,stat,0.010,smb.time&&ip.addr==1.1.1.1,MIN(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1">
-
-This will calculate statistics for all smb response times we see to/from
-host 1.1.1.1 in 10ms intervals. The output will be displayed in 4
-columns; number of packets/bytes, minimum response time, maximum response
-time and average response time.
+B<SUM(I<field>)I<field> [and I<filter>]> - Unlike COUNT, the I<values> of the
+specified field are summed per time interval.
+''I<field>'' can only be a named integer or relative time field.
+
+Example: B<-z io,stat,0.010,E<34>SUM(frame.len)frame.lenE<34>>
+
+Reports the total number of bytes that were transmitted bidirectionally in
+all the packets within a 10 millisecond interval.
+
+B<MIN/MAX/AVG(I<field>)I<field> [and I<filter>]> - The minimum, maximum, or average field value
+in each interval is calculated. The specified field must be a named integer
+or relative time field. For relative time fields, the output is presented in
+seconds with six decimal digits of precision rounded to the nearest microsecond.
+
+In the following example, The time of the first Read_AndX call, the last Read_AndX
+response values are displayed and the minimum, maximum, and average Read response times
+(SRTs) are calculated. NOTE: If the DOS command shell line continuation character, ''^''
+is used, each line cannot end in a comma so it is placed at the beginning of each
+continuation line:
+
+ tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
+ "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
+ "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
+ "MIN(smb.time)smb.time and smb.cmd==0x2e",
+ "MAX(smb.time)smb.time and smb.cmd==0x2e",
+ "AVG(smb.time)smb.time and smb.cmd==0x2e"
+
+
+ ======================================================================================================
+ IO Statistics
+ Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
+ Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
+ Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
+ Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
+ Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
+ | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
+ Time | MIN | MAX | MIN | MAX | AVG |
+ 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
+ ======================================================================================================
+
+The following command displays the average SMB Read response PDU size, the
+total number of read PDU bytes, the average SMB Write request PDU size, and
+the total number of bytes transferred in SMB Write PDUs:
+
+ tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
+ "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
+ "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
+ "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
+ "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
+
+ =====================================================================================
+ IO Statistics
+ Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
+ Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
+ Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
+ Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
+ | Column #0 | Column #1 | Column #2 | Column #3 |
+ Time | AVG | SUM | AVG | SUM |
+ 000.000- 30018 28067522 72 3240
+ =====================================================================================
+
+B<LOAD(I<field>)I<field> [and I<filter>]> - The LOAD/Queue-Depth
+in each interval is calculated. The specified field must be a relative-time filed that represents a response time. For example smb.time.
+For each interval the Queue-Depth for the specified protocol is calculated.
+
+The following command displays the average SMB LOAD.
+A value of 1.0 represents one I/O in flight.
+
+ tshark -n -q -r smb_reads_writes.cap
+ -z "io,stat,0.001,LOAD(smb.time)smb.time"
+
+ ============================================================================
+ IO Statistics
+ Interval: 0.001000 secs
+ Column #0: LOAD(smb.time)smb.time
+ | Column #0 |
+ Time | LOAD |
+ 0000.000000-0000.001000 1.000000
+ 0000.001000-0000.002000 0.741000
+ 0000.002000-0000.003000 0.000000
+ 0000.003000-0000.004000 1.000000
+
+
+
+B<FRAMES | BYTES[()I<filter>]> - Displays the total number of frames or bytes.
+The filter field is optional but if included it must be prepended with ''()''.
+
+The following command displays five columns: the total number of frames and bytes
+(transferred bidirectionally) using a single comma, the same two stats using the FRAMES and BYTES
+subcommands, the total number of frames containing at least one SMB Read response, and
+the total number of bytes transmitted to the client (unidirectionally) at IP address 10.1.0.64.
+
+ tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
+ "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
+
+ =======================================================================================================================
+ IO Statistics
+ Column #0:
+ Column #1: FRAMES
+ Column #2: BYTES
+ Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
+ Column #4: BYTES()ip.dst==10.1.0.64
+ | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
+ Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
+ 000.000- 33576 29721685 33576 29721685 870 29004801
+ =======================================================================================================================