Hi Sebastian,
I agree and what I do is use Wireshark
command line io.stat, which allows you to list as many display filters as you
want and then dump to file. I then bring this data into Excel and do whatever
I want with it graphically.
The syntax is a little tricky, but here is
an example:
This is an example of io.stat
graphing in which average frame, bytes, and TCP Window (RX) size per interval
are computed
-
tshark -r
download-bad.pcap -q -z
io,stat,5,ip.addr==10.0.52.164,AVG(tcp.window_size)tcp.window_size
The
ip.addr is an optional filter; you just keep adding your statistics separated
by comma. Note that COUNT, SUM are better choices for other stats such as
retransmissions, etc..
Hope
this helps,
Barry
From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastian
Sent: Wednesday, April 16, 2008
3:51 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users]
Graphing IP DSCP and other fields
Hi
all,
Is
there a better way of graphing IP DSCP then using an IO graph? The IO
graph suffers from two disadvantages compared with the ideal statistics tool:
1.
Since the IO graph cannot automatically graph different values of the same
field, one has to put in for example:
ip.dsfield.dscp
== 46
Into
one graph, then
ip.dsfield.dscp
== 34
Into
another graph, etc. for all the DSCP numbers you want to graph, which will
probably include 0 and perhaps total IP traffic. (a) this is rather
tedious, and (b) there are only 5 graphing slots available and there are 21
relatively commonly used DSCP values (including the ToS ones), plus a lot more
'user-configurable' ones.
2.
There is no way of saving (and loading) groups of IO graphing criteria
together.
Of
course, IO graphs could benefit from enhancements in these two areas (for graphing
many, many things)… For example, in the case of automatically
graphing all values of a field, adding a checkbox that works when you don't
have an operator / 'relation' in the filter _expression_ called something like
'Graph values separately' that ungroups the values of the field and draws lines
for each one. Or a special 'relation' that does this ungrouping (so that
you can still filter on other things). The problem I see with both these
is that extra colours would have to be dynamically assigned to the resulting
graphs, so maybe there is a better solution.
A
pie chart for graphing fields would probably also be useful, e.g. if you want
to see the relative bandwidth by DSCP, or CoS,
or VLAN ID, aggregated over time.
One
usage scenario for these graphs is monitoring the bandwidth used by various
groups of services, and ensuring good QoS (DiffServ) behaviour of a network.
But
I'm pretty new to Wireshark, so, of course, I may have missed some of its
capabilities. Please enlighten me if so.
Many
thanks,
SPA
