Wireshark-users: Re: [Wireshark-users] Graphing IP DSCP and other fields

From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
Date: Wed, 16 Apr 2008 13:22:40 -0700
Title: Graphing IP DSCP and other fields

Hi Sebastian,

 

I agree and what I do is use Wireshark command line io.stat, which allows you to list as many display filters as you want and then dump to file.  I then bring this data into Excel and do whatever I want with it graphically.

 

The syntax is a little tricky, but here is an example:

 

This is an example of io.stat graphing in which average frame, bytes, and TCP Window (RX) size per interval are computed

 

-        tshark -r download-bad.pcap -q -z io,stat,5,ip.addr==10.0.52.164,AVG(tcp.window_size)tcp.window_size

 

The ip.addr is an optional filter; you just keep adding your statistics separated by comma.  Note that COUNT, SUM are better choices for other stats such as retransmissions, etc..

 

Hope this helps,

Barry

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastian
Sent: Wednesday, April 16, 2008 3:51 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Graphing IP DSCP and other fields

 

Hi all,

Is there a better way of graphing IP DSCP then using an IO graph?  The IO graph suffers from two disadvantages compared with the ideal statistics tool:

1.  Since the IO graph cannot automatically graph different values of the same field, one has to put in for example:
ip.dsfield.dscp == 46
Into one graph, then
ip.dsfield.dscp == 34
Into another graph, etc. for all the DSCP numbers you want to graph, which will probably include 0 and perhaps total IP traffic.  (a) this is rather tedious, and (b) there are only 5 graphing slots available and there are 21 relatively commonly used DSCP values (including the ToS ones), plus a lot more 'user-configurable' ones.

2.  There is no way of saving (and loading) groups of IO graphing criteria together.

Of course, IO graphs could benefit from enhancements in these two areas (for graphing many, many things)…  For example, in the case of automatically graphing all values of a field, adding a checkbox that works when you don't have an operator / 'relation' in the filter _expression_ called something like 'Graph values separately' that ungroups the values of the field and draws lines for each one.  Or a special 'relation' that does this ungrouping (so that you can still filter on other things).  The problem I see with both these is that extra colours would have to be dynamically assigned to the resulting graphs, so maybe there is a better solution.

A pie chart for graphing fields would probably also be useful, e.g. if you want to see the relative bandwidth by DSCP, or CoS, or VLAN ID, aggregated over time.

One usage scenario for these graphs is monitoring the bandwidth used by various groups of services, and ensuring good QoS (DiffServ) behaviour of a network.

But I'm pretty new to Wireshark, so, of course, I may have missed some of its capabilities.  Please enlighten me if so.

Many thanks,

SPA