Wireshark/Traffic Analysis

From charlesreid1

Traffic Graphs

Various ways of using Wireshark to see the amount of traffic on a network.

IO Graphs

The first way to show IO information is the Wireshark IO Graph, in Statistics > IO Graph.

The IO graph shows a time series of network traffic, which you can change the resolution and scale of, and filter.

Here is the same pcap file; first, the rather boring 1-second resolution:

WiresharkIO 1second.png

and the much more interesting 10-minute resolution:

WiresharkIO 10minute.png

IO Graph Units

The units of the graph are a little hard to decipher, but here's how it works:

Set the Y Axis unit to "Bits/Tick". Then the y-axis tick marks represent the number of bytes. Now you can scale using orders of magnitude:

  • 1,000 bits = 1 kilobit
  • 1,000,000 bits = 1 megabit

When you use the Scale drop-down menu, it will scale the y-axis to go from 0 to that number. This will change depending on the time window you're looking at.

Let's walk through how we can interpret the graphs to figure out about how much data the wireless card is seeing.

Before beginning, apply a moving average filter, to minimize the jumps in the order of magnitude of the measurements due to differences in sampling rates and resolutions.

Start with data at 1 second intervals, and set scale to 10,000 bits:

Wireshark iograph1.png

The traffic is around the 50,000 bit tick, which means that the y-axis (amount of data) is 50,000 bits = 50 kilobits. Now to get a rate, divide that by the time interval of 1 second (that's our time resolution on this graph), for 50 kbps. That wireless card is handling slightly less traffic than a dial-up connection.

Next, we'll graph the data at 10 second intervals. If we're looking at a 50 kbps average traffic rate, we should see the y-axis scale from 50,000 to 500,000, or 500 bits. Sure enough, the given scale shows the data.

Wireshark iograph2.png

This also works in the reverse direction: changing the time sampling to 0.1 seconds, and increasing the time-averaging filter window, reduces the y-axis scale to 5,000 bits per 0.1 second:

Wireshark iograph3.png

WLAN Traffic Statistics

If you pick Statistics > WLAN Traffic, you'll get a breakdown of traffic by conversation. You can sort by percentage:

Wireshark WLANTraffic.png


Total Packet Traffic Statistics

You can see packet traffic from the top-level summary of the pcap file: Statistics > Summary will bring up the summary of the pcap file. There, you can see the following:

  • average packets per second (23.7 in my case)
  • total number of packets (364,000)
  • average packet size (82 bytes)
  • MBit/s (0.016 Mbps, or 16 kbps)

WiresharkTrafficSummary.png





Defcon.png
Wireshark
a Swiss-army knife for analyzing networks, network traffic, and pcap files.

Wireshark  · Category:Wireshark

Packet Analysis  · Wireshark/Advanced

Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis

Working with SSL/TLS/HTTPS:

MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File


Flags  · Template:WiresharkFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Wireshark/Traffic_Analysis&oldid=8973"