This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Microburst analysis for wireshark

0

Hello,

I am suspecting microbursts happening at time intervals too short to show up in i/o statistics in some pcap files.

Does wireshark have built-in automated search through large captures to find microbursts?

Is there a way to get a better resolution than 0.001s in i/o Graph ?

Thanks.

asked 27 Sep '13, 08:27

Metakent's gravatar image

Metakent
1111
accept rate: 0%

edited 27 Sep '13, 08:44

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


3 Answers:

0

Is there a way to get a better resolution than 0.001s in i/o Graph ?

well, if you don't see a microburst with a resolution of 1ms, then it is either not there or really, really short (which might be the case). Unfortunately there is no commonly accepted definition for a microburst, at least I don't know one. So it is hard to 'describe/define' what a microburst is and/or what is not, especially as it heavily depends on the environment.

As you cannot draw IO graphs with microsecond resolution, your options are:

  • extend the wireshark code to allow that (may be some work)
  • use tshark to output the data in 'CSV' and then use a Spreadsheet software or a tool for statistical calculations (like the R language/environment or ) to generate graphs with a lower (or higher) resolution.

Example:

tshark -nr input.pcap -T fields -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e frame.len -E header=y -E separator=; > out.txt

Regards
Kurt

answered 29 Sep '13, 09:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

one thing that could be deceiving is when you choose .0001 sec on x axis tick interval in I/O graph, it doesn't really tell you what the bits/sec rate is.

at first i had the impression that if you chose .0001sec (1 millisecond) you would see higher spikes than when you chose tick interval of 1 sec. But that's clearly not the case.

the reason for this is wireshark is simply telling you how many bits are matched every 1 millisecond, instead of telling you the "rate" on a per second basis.

the question is: during this 1 millisecond interval sample, based on the bits that were seen, if we were to have this many bits for 1000 consecutive milliseconds, what would be the bits per second rate. And unfortunately, wireshark doesn't seem to calculate this for us in IO graph.

However, you can get a very detailed throughput graph when you go to statistics>tcp stream graph > throughput graph. the only problem with this is it only gives you the stats for the tcp conversation you have highlighted.

answered 11 Jun '14, 12:48

audyn's gravatar image

audyn
111
accept rate: 0%

is this a comment, an answer or a question?

(11 Jun '14, 13:15) Kurt Knochner ♦

0

this is more of an answer and a comment.

the question i added to the comment was basically one that answers what we're trying to actually gather from io graph.

So interestingly one way we could use the IO graph is for example: you get some spikes here and there and let's say one of the spikes went up to 5000 bits per tick (and you have the tick interval set to 1 millisecond). The way to figure out the bits per second rate is to simply multiply by 1000 (1000milliseconds) and you come up with 5000000 bits per sec (5Mbps).

hope that helps.

answered 11 Jun '14, 13:52

audyn's gravatar image

audyn
111
accept rate: 0%