This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Sort by bandwidth used and show IP address/network name?

0

Hi All,

This is probably an easy one and I may be missing something obvious, but I'm having a hard time configuring WireShark to show me the same type of data that I used to see with Capsa.

I'm just trying to get a simple list of traffic, sorted by the highest amount of bandwidth, and next to that show the IP address/network name of the device that used that bandwidth. Here's a pic of exactly what I mean: alt text

Is this possible with Wireshark? If so, how? Seems like that would be the most wanted/needed functionality.

asked 02 Oct '13, 23:05

life036's gravatar image

life036
16115
accept rate: 0%


One Answer:

3

Just go into Statistics menu and then Endpoints or Statistics:Conversations and choose the IPv4 tab. You can sort by any column. (And I'll be a bit "picky" - the "Bytes" column you sorted by isn't really bandwidth, but traffic volume).

alt text

alt text

answered 03 Oct '13, 02:39

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Brilliant, thanks!

Is there any way to do a sub-sort here, though? For instance, in my Caspa screengrab above it sorts by internal hosts and external hosts, then the traffic volume. Can we only show the local hosts while still sorting by bytes?

Also, any way to change the bytes into MBs?

Thanks

(03 Oct '13, 20:30) life036
1

It doesn't have a hierarchical grouping built-in, but you apply a display filter before opening the Stats window you can then click on the "Limit to Display Filter" box to only have stats for that subset. So a display filter like "ip.addr == 10.0.0.0/8" would do the trick.

The display units is what it is, so if want to change you go change the source-code and recompile.

Alternatively just press the "Copy" button and the data display in CSV format which can be easily munged in a spreadsheet to show it in the format you want.

(03 Oct '13, 22:23) martyvis

@life036

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(04 Oct '13, 02:00) grahamb ♦
2

You might want to suggest that sort of hierarchical grouping of addresses in the Endpoint statistics as an enhancement request on the Wireshark Bugzilla, and suggest an option to allow different units to be specified (bytes, KB, MB, GB, etc.).

(04 Oct '13, 02:08) Guy Harris ♦♦

Ease up, @grahamb . I'm on the other side of the globe in the opposite time zone and don't have the luxury of staying up all night to check this thread. I wasn't going to mark it answered until I finished my discussion with the actual helpful people around here.

Much thanks to everyone else, though.

(04 Oct '13, 11:54) life036

Woah, there @life036! @grahamb is one of the good guys. He is merely trying to remind questioners to flag the answer. That way this forum has a few more questions with answers.

(04 Oct '13, 18:43) martyvis

Well maybe next time he can wait until the entire discussion has run its course before being so quick to police everyone and quote rules and regulations. It's actually quite rude.

(04 Oct '13, 19:04) life036
1

@life036, Sorry, I mistook the first sentence in your comment "Brilliant thanks!" as accepting the answer had solved your issue, and I didn't think the supplemental question that followed negated that.

The very low acceptance rate shown (8% for @martyvis) for all the regular contributors shows just how bad a job folks do when thanking others for helping them out, hence the use of the site provided pre-canned comment reminder I used.

Anyway you've now accepted the answer so job done.

(04 Oct '13, 23:33) grahamb ♦
1

And thank you ("you" as in life3036) for filing bug 9230 to request the hierarchical view and bug 9231 to request the xBification of the byte counts.

(04 Oct '13, 23:44) Guy Harris ♦♦
1

No biggy man, sorry for jumping down your throat about it.

(05 Oct '13, 01:29) life036
showing 5 of 10 show 5 more comments