Ask Your Question

Plotting TCP Receive Window using I/O Graph

asked 2018-05-03 16:10:49 +0000

NJL gravatar image

updated 2018-05-03 16:12:57 +0000


The FTP transfer capture I'm looking at clearly shows TCP ZeroWindow occassionally and I want to graph this using I/O Graph in Wireshark v2.6.0, however it's not working like it want it to! :-)

I would like a graph thats is more or less a declining line whenever the receivers window is being used, with a clear "dip" whenever the window size reaches zero. This should be possible based on looking at a column showing tcp.window_size.

What I'm getting is more or less the opposite: a flat line at zero with a lot of peaks, with no clear indication when the window reaching zero. This is really confusing, because the window size is nowhere near zero that often and also not as "bursty", but a reasonably stable declining value as one would expect.

I'm filtering on the source using ip.src=="ip of source" and a Y-field of tcp.window_size. I've tried every Y Axis calculation, but it seems what I'm really in need of is something that just graphs the value of the Y field, and not the Max, Min or AVG.

I'm guessing I'm doing this wrong - or at least I'm hoping - so can someone with knowledge on the subject help me out? :-)

Regards, Niels

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-05-05 22:27:05 +0000

Christian_R gravatar image

updated 2018-05-05 22:29:43 +0000

I just can tell you the opposit: A flat line with a peak when Window Size is 0.

Display Filter: (ip.src=="ip of source") and (tcp.window_size == 0) You should set y-Axis to packets. And as style you can use "impuls" or "dot"

All Other fields especially the "Y-Field" should stay empty.

edit flag offensive delete link more


Well, it works, but it's still not what I'm after. I found this thread which is my source of inspiration:

In that graph it's clear it's a flat line illustrating the window size, and I've tried using the same fields, but cannot get a similar graph.

NJL gravatar imageNJL ( 2018-05-06 05:58:56 +0000 )edit

O.k. But it is a littel bit different to what you want to plot. So in your case I woulld use

Display Filter: (ip.src=="ip of source")

Y-Axis: set it to Min(Y-Field)

Y-field: tcp.window_size

If you want to have it better, you need the tcptrace or scaling window graphs.

Or you can use excel.

Christian_R gravatar imageChristian_R ( 2018-05-06 19:50:08 +0000 )edit

answered 2018-05-03 18:18:47 +0000

Shan gravatar image

Personally, I would shy away from the I/O graph and instead make use of the tcptrace graph. It is a little hard to read at first, but there are some great explanations of it online. To get to the tcptrace graph, in Wireshark go to Statistics > TCP Stream Graphs > Time Sequence (tcptrace). Again, you'll likely want some additional explanation of how it works, so search around for some good resources on the web. Hope this helps!

edit flag offensive delete link more


Thanks for the suggestion. I know about the tcptrace graph, but unfortunately it's also not giving me the graph I want. Basically I want a "management friendly" graph that very clearly shows the dips in the window size when the receiver signals a TCP Receive Window of zero bytes and not something that needs a lot of explanation. I'm sure that is possible using the I/O graph, but I just can't figure it out :-)

I've naturally also tried the blatantly obvious Statistics -> TCP Stream Graphs -> Window Scaling which is actually what I want, but if I disable "Bytes Out" (which shows bytes in flight) then I cannot click on the graph and jump to the relevant packet in the capture itself. This works only on the Bytes Out graph. Not sure if this is on purpose or a bug...

NJL gravatar imageNJL ( 2018-05-04 06:08:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2018-05-03 16:10:49 +0000

Seen: 7,582 times

Last updated: May 05 '18