This is our old Q&A Site. Please post any new questions and answers at

Dear friends, I plotted a IO graph on a dump of packets collected over few seconds of time. I am able to see spikes/peaks in the graph with coordinates X-axis 1sec tick and Y-axis - bits/tick, scale - auto. I would like to find out the area of the peak above a certain point of y-axis. Say, my threshold limit is 4Mbps, I would like to find the amount of over-subscribed traffic above 4Mbps for the duration it over-subscribed. If i am correct, we need to use integration but i am not able to nail down the function to do so. Please help me in this regard and throw some light on. Your help is highly appreciated. To summarize - Function through which the graph is plotted. - Finding out the area of a spike above a certain threshold.

Thanks, Rukesh

asked 06 Mar '11, 13:40

Rukesh's gravatar image

accept rate: 0%

You can't really just see what went above a threshhold, but you can look at the view of all traffic between two points in time. To do this, simply bring up your IO graph. Click on the are where it goes above the threshhold you have in mind. This will select a packet in the packet list. Set this as your starting point with a display filter based on the frame number. For example "frame.number >=299". Go back to your IO Graph and choose the end of the period of time that goes above the threshhold. This will select another packet. Note the frame number and expand your display filter. For example frame.number >=299 && frame.number <=375". This would display everything between frame 299 and 375. At this point, you can work with the data or save it out as an independent CAP file.

This is not as elegant as a drop and drag on the IO Graph, but it does allow you to focus. Beyond that, you might be interested in Cace Pilot. Watch some of the video's on that. Be aware that Cace is not a GPL product like Wireshark.

permanent link

answered 06 Mar '11, 14:46

Paul%20Stewart's gravatar image

Paul Stewart
accept rate: 6%

Dear Mr.Stewart,

Brilliant. Really, it brought some light into me. Thanks a lot. Immediately, i did use your suggestion - frame.numbe >=,<= and i got a nice extract. With this, can i go ahead using area of triangle or rectangle, which ever the way, the peak burst(> committed rate over a period) looks like? Or is it just the difference between the frames with number >= && <= ? Please extend your support. As CACE tool might take another 48 hrs to download, i need to analyse the data immediately. My req- is to find out the amount of burst occured > CIR in the period of sec.

Many thanks, Rukesh

(06 Mar '11, 16:45) Rukesh

The display filter "frame.number >=# && frame.number <=##" would be every frame number between # and ##. Since they are captured in order, this will be a period of time. If you are wanting to see what the > Cir is in a period of second, you can bring an IO Graph back up and set your Tick interval to 1 Second and set the Unit to Bits/s. If you want to keep the scale consistent, set it to something like 2x your CIR. Now the problem is you are looking at traffic in both directions. Read on.

(06 Mar '11, 16:59) Paul Stewart

To look at the traffic one direction at a time in the IO Graph, click on the Graph1 button to disable it. Then in the Graph 2 text box next to the filter button filter based on your IP source range. For example, mine is "ip.src==". Then in the same box near Graph 3, filter to your destination. For example mine is "ip.dst==". Then click the "Graph 2" and "Graph 3" buttons. At this point, the red line will be your outbound bits/s and the green line is the inbound bits/s. HTH.

(06 Mar '11, 17:03) Paul Stewart
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 06 Mar '11, 13:40

question was seen: 4,136 times

last updated: 06 Mar '11, 17:03

p​o​w​e​r​e​d by O​S​Q​A