If you work in the IT I am sure you have used, seen and/or heard of Wireshark. It is an awesome free packet capture tool and/or to view captured data. Before I got heavily involved in Wireless, I extensively used it on the wired side of the things sometimes to troubleshoot and sometimes to prove that it is not the network and assist other teams in figuring out the root cause. In short it is a very powerful tool for network and wireless engineers.
I am no Wireshark expert, it is a constant learning process. Recently I had to do some troubleshooting and assessment for a customer and I decided to look into “Wireshark I/O Graphs”. I have seen them before but never paid much attention to them (don’t ask me why, perhaps because I always found my answer and didn’t need them until now). To be honest I can not believe that I did not pay attention to it as much as I should have in the past considering it is something so simple.
Here is a very quick default view of I/O Graph I got from one of my recent captures
Now there is nothing interesting there right now, so let’s make it interesting and useful, using simple options listed towards the bottom.
First step I am going to check the “Time of Day” box so that I can see the time stamps in my graph. NOTE: Since it’s a long image I am going to just add the start and end of that image instead of pasting the whole thing.
Now I have a graph that is showing me the time stamp and I can see that it is from 07:30 to 08:30 (60 min). Next I want to change the interval since it is an hour long graph to make more sense of it. I’m going to change it to 1 Min and 10 min just to show the difference.
With 1 min and 10 min interval it starts to show expand the graph a bit more and also increases the number of frames on the left hand side. I do like to look at different views and see what works for me. So it all depends. Let’s make it a bit more interesting now. This is showing me about 5000+ frames per 10 min interval or around 1000 Frames per 1 min interval during it’s peak. I want to now see the beacon frames, so I will add a filter to update my graph.
- Enabled Column: Can be checked and unchecked to display
- Group Name: Anything related to your filter
- Display Filter: Filter the packets or frames you want to graph
- Color: Change the color of the filtered graph
Once I click on that check box, it will update the graph with all the beacon frames.
Let’s add Probe Requests and Proble Responses in there as well and enable them.
I can see that the blue lines are representing “All Packets”. But rest of them all are defaulting to black lines. This gets a bit confusing and people like colors especially when it comes to graphs and reports. So I am going to chagne the colors. Colors can be customized by simply clicking on the square color icon under the “Colors” column.
With these different views and filters I am able to generate graphs showing different frames and comparing their numbers. This can be used in multiple ways for example I had to show once the total number of Frames during a specific time frame and all the VHT NDP Frames because of MU-MIMO and TX Beamforming, In one scenario I noticed really unusual number of Probe Requests and Probe Responses and that helped me narrow down my issue.
Hope this will help someone out there and please feel free to provide any feedback that I can use to improve this and/or my writing. Thank you for reading.