This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hi,

im looking for a way to graph only the upload or download traffic for one connection, is this possible?

what ive found:

how fast a connection is at the moment(probably up+download speed combined): http://ask.wireshark.org/questions/1242/speed-of-sending-and-receiving-packets selecting a filter A->B or B->A both showed the same value for my test application.

or how much data was downloaded by conversation x http://ask.wireshark.org/questions/82/can-wireshark-monitor-bandwidth-usage-per-applicationprocess

asked 29 Dec '12, 06:02

Kiste_Becks's gravatar image

Kiste_Becks
0113
accept rate: 0%

edited 29 Dec '12, 06:24


You could use a filter in the IO graph for one of the colors, which would lead to a graph of that color being painted for just the packets that pass the filter. For example you could filter on something like "(ip.addr eq 192.168.1.1 and ip.addr eq 10.0.0.1) and (tcp.port eq 1025 and tcp.port eq 80)", assuming that these IPs and ports are used for the connection you want to graph. Don't forget to activate the graph by pushing the according button in front of the filter box.

If you only want one direction - lets say, just the packets coming back from the server (a download for example), you can filter on "ip.src eq 10.0.0.1 and tcp.srcport eq 80". That filter forces Wireshark to only graph for packets that come from the server. Problem with this is - if you have multiple connection to that server on that port you'll graph all of them. You can circumvent this problem by adding the stream index as well, for example "ip.src eq 10.0.0.1 and tcp.srcport eq 80 and tcp.stream==5" (assuming 5 is the connection that you want to graph).

permanent link

answered 29 Dec '12, 06:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 29 Dec '12, 06:55

thx, will experiment with that.

[Answer converted to a comment as per the style for bugs.wireahrk.org; Please see the FAQ]

(29 Dec '12, 12:34) Kiste_Becks

If you're going to use the stream index, which is a good idea, I think you can drop the "tcp.srcport" and simplify your filter to "ip.src == 10.0.0.1 and tcp.stream == 5" since the entire stream will be between one pair of ports that won't change during that particular TCP connection.

(29 Dec '12, 16:50) Jim Aragon

True. I added the paragraph about the stream index when I realized that without it you'd see all connections on that port. In that Edit, I forgot that I could now deprecate the port. It doesn't hurt to have it, so I didn't edit the answer again :-)

(31 Dec '12, 10:17) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×5

question asked: 29 Dec '12, 06:02

question was seen: 4,876 times

last updated: 31 Dec '12, 10:17

p​o​w​e​r​e​d by O​S​Q​A