Why does the TCP conversation dialog constantly refresh?
I want to diagnose TCP throughput of large video file uploads. The TCP throughput graph provides a good view which I use to visualize an issue during the transfer. The transfer is divided into many (50MB~20MB) chunks, so I use the TCP Conversation view to find the ones I want to graph. I locate these easily because they show up as many 443 transfers > 18MB. Of course the .pcap is large (600 MB), even using truncated frames, so the Conversation view takes a while to populate, which is expected and ok if it only did it once :)
The problem occurs when I want to show the throughput graph. First I select the conversation I want and then use the graph button. But rather than graph the selected conversation, it chooses the first stream (BUG #1?).
When the graph opens, it also reload the TCP Conversation chart which again takes a long time (BUG #2?)
In order to use the TCP Conversation chart I need the stream ID, which would be helpful if it was listed as a column in the TCP conversation view (REQUEST #1). But instead I use the Follow the Stream button and close it quickly. However this again loads the TCP Conversation which takes a long time (BUG #1 again).
Is there a better/faster way to display TCP throughput charts of the TCP conversations I'm interested in? Or maybe a better, more detailed tool/way, that helps me understand congestion control?
Thanks, Paul
The Gui stuff can be version dependent.
What is output of
wireshark -v
orHelp->About Wireshark
?Version 3.2.3 (v3.2.3-0-gf39b50865a13)
Recap of conversation on Zoom:
- Gerald - the conversation screen is refreshing often for live capture graphing
- Sake - perhaps split the pcap into a file per TCP stream. Example here .
The man page for TCP Stream Graphs mentions tcptrace . Maybe it could be used to help automate the graphs.
I think this is a good approach to workaround the issue, but I can't get tshark working. The example given users -R, but it claims -2 is required, so I tried this::
tshark -2 -R "tcp.stream==0" -r cptA.pcap -w stream-0.pcap -T fields -e tcp.srcport
I added the -T fields to see what happens without having to open the pcap. Only 3 lines are displayed. But if I filter the same trace in wireshark, many more frames are displayed. I also tried -Y, but same results. If I change the filter to "tcp", it works fine.
Am I doing this correctly?
Your syntax looks good.
Can you sanitize and share a pcap?
If not there is one here with many TCP streams to test on.