Wireshark I/O Graphs – Troubleshooting

If you work in the IT I am sure you have used, seen and/or heard of Wireshark. It is an awesome free packet capture tool and/or to view captured data. Before I got heavily involved in Wireless, I extensively used it on the wired side of the things sometimes to troubleshoot and sometimes to prove that it is not the network and assist other teams in figuring out the root cause. In short it is a very powerful tool for network and wireless engineers.

I am no Wireshark expert, it is a constant learning process. Recently I had to do some troubleshooting and assessment for a customer and I decided to look into “Wireshark I/O Graphs”. I have seen them before but never paid much attention to them (don’t ask me why, perhaps because I always found my answer and didn’t need them until now). To be honest I can not believe that I did not pay attention to it as much as I should have in the past considering it is something so simple.

Wireshark I/O Graphs

Here is a very quick default view of I/O Graph I got from one of my recent captures

Wireshark I/O Graph

Now there is nothing interesting there right now, so let’s make it interesting and useful, using simple options listed towards the bottom.

Wireshark I/O Graph – Setting view

First step I am going to check the “Time of Day” box so that I can see the time stamps in my graph. NOTE: Since it’s a long image I am going to just add the start and end of that image instead of pasting the whole thing.

Wireshark I/O Graph – Time Stamp Start
Wireshark I/O Graph – Time Stamp End

Now I have a graph that is showing me the time stamp and I can see that it is from 07:30 to 08:30 (60 min). Next I want to change the interval since it is an hour long graph to make more sense of it. I’m going to change it to 1 Min and 10 min just to show the difference.

Wireshark I/O Graph – 1 Min Interval
Wireshark I/O Graph – 10 Min Interval

With 1 min and 10 min interval it starts to show expand the graph a bit more and also increases the number of frames on the left hand side. I do like to look at different views and see what works for me. So it all depends. Let’s make it a bit more interesting now. This is showing me about 5000+ frames per 10 min interval or around 1000 Frames per 1 min interval during it’s peak. I want to now see the beacon frames, so I will add a filter to update my graph.

Wireshark I/O Graph – Filter
Wireshark I/O Graph – Beacon Filter
  • Enabled Column: Can be checked and unchecked to display
  • Group Name: Anything related to your filter
  • Display Filter: Filter the packets or frames you want to graph
  • Color: Change the color of the filtered graph

Once I click on that check box, it will update the graph with all the beacon frames.

Wireshark I/O Graph – Beacon Frames/min
Wireshark I/O Graph – Beacon Frames/10 min

Let’s add Probe Requests and Proble Responses in there as well and enable them.

Wireshark I/O Graph – Beacons, Probe Requests, Probe Responses/min
Wireshark I/O Graph – Beacons, Probe Requests, Probe Responses/10min

I can see that the blue lines are representing “All Packets”. But rest of them all are defaulting to black lines. This gets a bit confusing and people like colors especially when it comes to graphs and reports. So I am going to chagne the colors. Colors can be customized by simply clicking on the square color icon under the “Colors” column.

Wireshark I/O Graphs – Color Customization
Wireshark I/O Graph – Color customization/min
Wireshark I/O Graph – Color customization/10min
Wireshark I/O Graph with Color custimization

With these different views and filters I am able to generate graphs showing different frames and comparing their numbers. This can be used in multiple ways for example I had to show once the total number of Frames during a specific time frame and all the VHT NDP Frames because of MU-MIMO and TX Beamforming, In one scenario I noticed really unusual number of Probe Requests and Probe Responses and that helped me narrow down my issue.

Hope this will help someone out there and please feel free to provide any feedback that I can use to improve this and/or my writing. Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 thought on “Wireshark I/O Graphs – Troubleshooting”

WordPress SEO