Wireshark/Traffic Analysis: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 44: | Line 44: | ||
[[Image:Wireshark_iograph3.png|500px]] | [[Image:Wireshark_iograph3.png|500px]] | ||
{{WiresharkFlag}} | {{WiresharkFlag}} | ||
Revision as of 04:34, 20 January 2016
Traffic
Various ways of using Wireshark to see the amount of traffic on a network.
IO Graphs
The first way to show IO information is the Wireshark IO Graph, in Statistics > IO Graph.
The IO graph shows a time series of network traffic, which you can change the resolution and scale of, and filter.
Here is the same pcap file; first, the rather boring 1-second resolution:
and the much more interesting 10-minute resolution:
IO Graph Units
The units of the graph are a little hard to decipher, but here's how it works:
Set the Y Axis unit to "Bits/Tick". Then the y-axis tick marks represent the number of bytes. Now you can scale using orders of magnitude:
- 1,000 bits = 1 kilobit
- 1,000,000 bits = 1 megabit
When you use the Scale drop-down menu, it will scale the y-axis to go from 0 to that number. This will change depending on the time window you're looking at.
Let's walk through how we can interpret the graphs to figure out about how much data the wireless card is seeing.
Before beginning, apply a moving average filter, to minimize the jumps in the order of magnitude of the measurements due to differences in sampling rates and resolutions.
Start with data at 1 second intervals, and set scale to 10,000 bits:
The traffic is around the 50,000 bit tick, which means that the y-axis (amount of data) is 50,000 bits = 50 kilobits. Now to get a rate, divide that by the time interval of 1 second (that's our time resolution on this graph), for 50 kbps. That wireless card is handling slightly less traffic than a dial-up connection.
Next, we'll graph the data at 10 second intervals. If we're looking at a 50 kbps average traffic rate, we should see the y-axis scale from 50,000 to 500,000, or 500 bits. Sure enough, the given scale shows the data.
This also works in the reverse direction: changing the time sampling to 0.1 seconds, and increasing the time-averaging filter window, reduces the y-axis scale to 5,000 bits per 0.1 second:
 |
Wireshark a Swiss-army knife for analyzing networks, network traffic, and pcap files.
Wireshark · Category:Wireshark Packet Analysis · Wireshark/Advanced Wireshark/HTTPS · Wireshark/Traffic Analysis · Wireshark/Conversation Analysis · Wireshark/Protocol Analysis Working with SSL/TLS/HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info · MITM Labs/Decrypting HTTPS Traffic with Private Key File
|