Hi, I am examining a trace from netscaler. On statistics -> IO Graphs , I am comparing bytes in flights and window size. Strangely , my bytes in flight is higher than window size. Only when I supply tcp stream as a display the problem seems to recover. When there is no input in display filter , bif exceeds the window size. Besides , when I enter vlan (nstrace.vlan ) it doesn't have an effect. Still bif is higher. Note : I select Y-Field as tcp.analysis.bytes_in_flight and tcp.window_size ; then Y-axis as max(Y-Field). Any idea would be appreciated. asked 21 Dec '16, 23:36  Ozan_Cesur |
One Answer:
Bytes in flight and window size is a session based values. So exactly you need more things in the filter for the two graphs;
answered 21 Dec '16, 23:48  Christian_R edited 21 Dec '16, 23:51 |
I thought when I left the display filter empty , wireshark would search for all the sessions. So when it draws bytes_in_flight information for a specific session, it should have found the window size information for that specific session as well.
As I see it is not how wireshark draws graphs when I left display filter empty. I should look for how it behaves when no filters entered
Thanks for the response
First I have converted your answer into acomment, as it is more a comment.
If you leave the filter field empty. Wireshark looks at every packet and if it it contains a the field it draws the value (max, SUM...) But Wireshark does this without any kind of intelligence.
The intteligence is the display filter in this case, which need to be defined by the user.
But at least for the window size value there are some intelligent graphs available, as you have expected by the IO graph: Statistics -> TCP Stream Graphs -> Window Scaling
or
Statistics -> TCP Stream Graphs -> tcptrace