This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using I/O graph how to interept bytes/tick against packet details information?

0

I'm working on a trace-file which has reported ISP throttling occurrences in it.

My task is

to use IO graph to understand at what point in time the throttling process effected client upload throughput. To achieve this I have applied 3 filters with results shown in UI attached.

My Problem.

Each blue line, when I see the graph it raising from its level both up and down using the Y axis which is set to byets/tick. Now, interesting this which should be very easy to find, like when I click on the line which lays low in graph and compare to green line which is higher in scale at the wireshark packets pane/window I'm confused as to what bytes (size) attribute to change in these lines positions on graph (IO)?

To re-create

open wireshark-> generate traffic (e.g http)- > goto statistics-> I/O graph

Now,

click on any point in graph it takes you to packet (single) view, now on the packet informtion do you see anything e.g len,window size etc that tells why this packet was lower /higher on scale in graph w.r.t bytes /tick. Make sure Y-axis is set as bytes/tick.

Where I have to look in packet details to find this information. Thanks.

alt text alt text alt text

asked 17 Jun '15, 01:37

asad's gravatar image

asad
11226
accept rate: 0%

edited 18 Jun '15, 03:47

any luck? anyone

(17 Jun '15, 23:29) asad
1

Where I have to look in packet details to find this information.

hm... I don't fully understand what you are asking for. Could you please add more details?

(17 Jun '15, 23:40) Kurt Knochner ♦

@kurt please see the review and let me if it helps.

(18 Jun '15, 00:54) asad
1

It is a summarization per tick intervall. So if a packet is higher or lower than it is later or ealier in that specific intervall.

(18 Jun '15, 01:11) Christian_R

@Christian_R thanks for commenting, but on Y-axis it says bytes/tick so i'm looking the graph uses byte (size) criteria for plotting?

(18 Jun '15, 01:15) asad

I'm sorry, but I still don't get it.

do you see anything e.g len,window size etc that tells why this packet was lower /higher on scale in graph w.r.t bytes /tick.

What do you mean by that (bold text part)? A packet is "nowhere" in the graph, neither higher nor lower. The graph just shows a mean value of frames in the selected time/tick interval and if you click somewhere, you will end up "somewhere" in the "window of frames" that created the data where you approximately clicked in the graph.

Maybe we try it the other way round: What kind of information are you trying to find?

(18 Jun '15, 02:00) Kurt Knochner ♦

@kurt I have added more details now, let me know why packet 3134 and 3137 are at different positions on graph?

(18 Jun '15, 03:49) asad

@lchappell I hope you can help me out there:).

(18 Jun '15, 05:16) asad
showing 5 of 8 show 3 more comments

One Answer:

1

Packets 3134 & 3137 are at different positions in the graph as they fall into different tick intervals.

According to the bottom screenshot, you have a tick interval of 0.01 sec. Looking at the packet list, packets 3134, 3135 & 3136 all fall into the interval 14.12 - 14.12999999, packet 3137 ... fall into the tick interval 14.13 - 14.13999999.

answered 18 Jun '15, 05:29

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 18 Jun '15, 05:55

Thanks horizontal positions I already know as to why I'm talking specifically as i mention in question as well its the Y-AXIS position how is that effected?

(18 Jun '15, 06:02) asad
1

That's the function of the graph, bytes per interval.

The Y-Axis value is the number of bytes in packets in that interval. For the interval 14.12 - 14.12999999 there are three packets (3134-6) with a total length of 3066 bytes. For the interval 14.13 - 14.13999999 there are at least 5 packets (3137-41) with a total length of 7530 bytes. There may be more packets and bytes in the second interval but that can't be determined from your screenshot. Yet another reason why analysis by screenshot is annoying. Much easier with the actual capture file.

(18 Jun '15, 06:08) grahamb ♦

Thanks you solved the riddle. So each dot is the summation of all previous dots in that specific time interval e.g 0.1 or 0.01.

(18 Jun '15, 06:42) asad

Not exactly, each dot is the summation of all bytes in that specific time interval (that match the applied filter if any).

(18 Jun '15, 07:23) grahamb ♦