If I run a TCP throughput graph I see that there are plots placed at around 450,000,000 bytes. However if I add up the bytes from the total bytes column from the statistics of the same capture via tshark I get a total of 163,672,972 bytes. The Tshark command is : "C:\Program Files\Wireshark\tshark.exe" -q -z conv,ip -r C:\capture.pcap Can anyone explain how the TCP throughput graph is calculated , and why this difference is occuring... ? Thanks, asked 14 Dec '13, 13:13  bart80 |
One Answer:
Which version of Wireshark are you using? For 1.10 and below the graph shows 21 (yes, 21) segment simple moving average. If the timestamps on a 21-segment span of packets are close together or far apart it will skew the graph high or low, respectively. The packet timestamps Wireshark sees may or may not accurately reflect what happened on the wire depending on a number of factors. For 1.11.x the Gtk+ interface uses a 20 segment SMA (i.e. I fixed the off-by-one error). The Qt interface uses a 1 second SMA. answered 15 Dec '13, 10:08  Gerald Combs ♦♦ |
Ok thanks, im running 1.11.x. could you poss explain how the 20 segment SMA works ?
If I recall the code correctly it keeps a 20 segment long sliding window of the start time, end time, start byte count, and end byte count. The point plotted is the delta bytes over delta time. The function in question is tput_make_elmtlist(), currently at line 4092 of tcp_graph.c.
Ok thanks, the main point Im trying to find is when dealing with microbursts to see the true amount of traffic that was sent/received during the peak (i.e burst) . Ive played around with the IO graphs but they never showed me the totals that I would of expected (prob duing to averaging and the ticks etc)