Why does the TCP conversation dialog constantly refresh?

asked 2020-05-15 13:15:04 +0000

PaulELong gravatar image

updated 2020-05-15 13:22:59 +0000

I want to diagnose TCP throughput of large video file uploads. The TCP throughput graph provides a good view which I use to visualize an issue during the transfer. The transfer is divided into many (50MB~20MB) chunks, so I use the TCP Conversation view to find the ones I want to graph. I locate these easily because they show up as many 443 transfers > 18MB. Of course the .pcap is large (600 MB), even using truncated frames, so the Conversation view takes a while to populate, which is expected and ok if it only did it once :)

The problem occurs when I want to show the throughput graph. First I select the conversation I want and then use the graph button. But rather than graph the selected conversation, it chooses the first stream (BUG #1?).

When the graph opens, it also reload the TCP Conversation chart which again takes a long time (BUG #2?)

In order to use the TCP Conversation chart I need the stream ID, which would be helpful if it was listed as a column in the TCP conversation view (REQUEST #1). But instead I use the Follow the Stream button and close it quickly. However this again loads the TCP Conversation which takes a long time (BUG #1 again).

Is there a better/faster way to display TCP throughput charts of the TCP conversations I'm interested in? Or maybe a better, more detailed tool/way, that helps me understand congestion control?

Thanks, Paul

edit retag flag offensive close merge delete

Comments

The Gui stuff can be version dependent.
What is output of wireshark -v or Help->About Wireshark ?

Chuckc gravatar imageChuckc ( 2020-05-15 15:00:20 +0000 )edit

Version 3.2.3 (v3.2.3-0-gf39b50865a13)

PaulELong gravatar imagePaulELong ( 2020-05-15 22:17:27 +0000 )edit

Recap of conversation on Zoom:
- Gerald - the conversation screen is refreshing often for live capture graphing
- Sake - perhaps split the pcap into a file per TCP stream. Example here .

The man page for TCP Stream Graphs mentions tcptrace . Maybe it could be used to help automate the graphs.

Chuckc gravatar imageChuckc ( 2020-05-19 19:42:53 +0000 )edit

I think this is a good approach to workaround the issue, but I can't get tshark working. The example given users -R, but it claims -2 is required, so I tried this::

tshark -2 -R "tcp.stream==0" -r cptA.pcap -w stream-0.pcap -T fields -e tcp.srcport

I added the -T fields to see what happens without having to open the pcap. Only 3 lines are displayed. But if I filter the same trace in wireshark, many more frames are displayed. I also tried -Y, but same results. If I change the filter to "tcp", it works fine.

Am I doing this correctly?

PaulELong gravatar imagePaulELong ( 2020-05-20 16:23:20 +0000 )edit

Your syntax looks good.
Can you sanitize and share a pcap?
If not there is one here with many TCP streams to test on.

Chuckc gravatar imageChuckc ( 2020-05-20 16:46:26 +0000 )edit
see more comments