1 // WSUG Chapter Statistics
11 Wireshark provides a wide range of network statistics which can be accessed via
12 the menu:Statistics[] menu.
14 These statistics range from general information about the loaded capture file
15 (like the number of captured packets), to statistics about specific protocols
16 (e.g. statistics about the number of HTTP requests and responses captured).
20 - *Summary* about the capture file.
22 - *Protocol Hierarchy* of the captured packets.
24 - *Conversations* e.g. traffic between specific IP addresses.
26 - *Endpoints* e.g. traffic to and from an IP addresses.
28 - *IO Graphs* visualizing the number of packets (or similar) in time.
30 * Protocol specific statistics:
32 - *Service Response Time* between request and response of some protocols.
34 - Various other protocol specific statistics.
38 The protocol specific statistics require detailed knowledge about the specific
39 protocol. Unless you are familiar with that protocol, statistics about it will
40 be pretty hard to understand.
45 === The “Summary” window
47 General statistics about the current capture file.
50 image::wsug_graphics/ws-stats-summary.png[{screenshot-attrs}]
52 * __File__: general information about the capture file.
54 * __Time__: the timestamps when the first and the last packet were captured (and
55 the time between them).
57 * __Capture__: information from the time when the capture was done (only
58 available if the packet data was captured from the network and not loaded from
61 * __Display__: some display related information.
63 * __Traffic__: some statistics of the network traffic seen. If a display filter
64 is set, you will see values in the Captured column, and if any packages are
65 marked, you will see values in the Marked column. The values in the _Captured_
66 column will remain the same as before, while the values in the _Displayed_
67 column will reflect the values corresponding to the packets shown in the
68 display. The values in the _Marked_ column will reflect the values
69 corresponding to the marked packages.
73 === The “Protocol Hierarchy” window
75 The protocol hierarchy of the captured packets.
77 .The “Protocol Hierarchy” window
78 image::wsug_graphics/ws-stats-hierarchy.png[{screenshot-attrs}]
80 This is a tree of all the protocols in the capture. Each row contains the
81 statistical values of one protocol. Two of the columns (_Percent Packets_ and
82 _Percent Bytes_) serve double duty as bar graphs. If a display filter is set it
83 will be shown at the bottom.
85 The btn:[Copy] button will let you copy the window contents as CSV or YAML.
87 .Protocol hierarchy columns
89 _Protocol_:: This protocol’s name
91 _Percent Packets_:: The percentage of protocol packets relative to all packets in
94 _Packets_:: The total number of packets of this protocol
96 _Percent Bytes_:: The percentage of protocol bytes relative to the total bytes in
99 _Bytes_:: The total number of bytes of this protocol
101 _Bits/s_:: The bandwidth of this protocol relative to the capture time
103 _End Packets_:: The absolute number of packets of this protocol where it
104 was the highest protocol in the stack (last dissected)
106 _End Bytes_:: The absolute number of bytes of this protocol where it
107 was the highest protocol in the stack (last dissected)
109 _End Bits/s_:: The bandwidth of this protocol relative to the capture time where
110 was the highest protocol in the stack (last dissected)
112 Packets usually contain multiple protocols. As a result more than one protocol will
113 be counted for each packet. Example: In the screenshot IP has 99.9% and TCP
114 98.5% (which is together much more than 100%).
116 Protocol layers can consist of packets that won’t contain any higher layer
117 protocol, so the sum of all higher layer packets may not sum up to the protocols
118 packet count. Example: In the screenshot TCP has 98.5% but the sum of the
119 subprotocols (SSL, HTTP, etc) is much less. This can be caused by continuation
120 frames, TCP protocol overhead, and other undissected data.
122 A single packet can contain the same protocol more than once. In this case, the
123 protocol is counted more than once. For example ICMP replies and many tunneling
124 protocols will carry more than one IP header.
126 [[ChStatConversations]]
130 A network conversation is the traffic between two specific endpoints. For
131 example, an IP conversation is all the traffic between two IP addresses. The
132 description of the known endpoint types can be found in
135 [[ChStatConversationsWindow]]
137 ==== The “Conversations” window
139 The conversations window is similar to the endpoint Window. See
140 <<ChStatEndpointsWindow>> for a description of their common features. Along with
141 addresses, packet counters, and byte counters the conversation window adds four
142 columns: the start time of the conversation (“Rel Start”) or (“Abs Start”),
143 the duration of the conversation in seconds, and the average bits (not bytes)
144 per second in each direction. A timeline graph is also drawn across the
145 “Rel Start” / “Abs Start” and “Duration” columns.
147 .The “Conversations” window
148 image::wsug_graphics/ws-stats-conversations.png[{screenshot-attrs}]
150 Each row in the list shows the statistical values for exactly one conversation.
152 _Name resolution_ will be done if selected in the window and if it is active for
153 the specific protocol layer (MAC layer for the selected Ethernet endpoints
154 page). _Limit to display filter_ will only show conversations matching the
155 current display filter. _Absolute start time_ switches the start time column
156 between relative (“Rel Start”) and absolute (“Abs Start”) times. Relative start
157 times match the “Seconds Since Beginning of Capture” time display format in the
158 packet list and absolute start times match the “Time of Day” display format.
160 The btn:[Copy] button will copy the list values to the clipboard in CSV
161 (Comma Separated Values) or YAML format. The btn:[Follow Stream...] button
162 will show the stream contents as described in <<ChAdvFollowStream>> dialog. The
163 btn:[Graph...] button will show a graph as described in <<ChStatIOGraphs>>.
165 btn:[Conversation Types] lets you choose which traffic type tabs are shown.
166 See <<ChStatEndpoints>> for a list of endpoint types. The enabled types
167 are saved in your profile settings.
171 This window will be updated frequently so it will be useful even if you open
172 it before (or while) you are doing a live capture.
176 // [[ChStatConversationListWindow]]
182 A network endpoint is the logical endpoint of separate protocol traffic of a
183 specific protocol layer. The endpoint statistics of Wireshark will take the
184 following endpoints into account:
188 If you are looking for a feature other network tools call a _hostlist_, here is
189 the right place to look. The list of Ethernet or IP endpoints is usually what
193 .Endpoint and Conversation types
195 _Bluetooth_:: A MAC-48 address similar to Ethernet.
197 _Ethernet_:: Identical to the Ethernet device’s MAC-48 identifier.
199 _Fibre Channel_:: A MAC-48 address similar to Ethernet.
201 _IEEE 802.11_:: A MAC-48 address similar to Ethernet.
203 _FDDI_:: Identical to the FDDI MAC-48 address.
205 _IPv4_:: Identical to the 32-bit IPv4 address.
207 _IPv6_:: Identical to the 128-bit IPv6 address.
209 _IPX_:: A concatenation of a 32 bit network number and 48 bit node address, by
210 default the Ethernet interface’s MAC-48 address.
212 _JXTA_:: A 160 bit SHA-1 URN.
214 _NCP_:: Similar to IPX.
216 _RSVP_:: A combination of varios RSVP session attributes and IPv4 addresses.
218 _SCTP_:: A combination of the host IP addresses (plural) and
219 the SCTP port used. So different SCTP ports on the same IP address are different
220 SCTP endpoints, but the same SCTP port on different IP addresses of the same
221 host are still the same endpoint.
223 _TCP_:: A combination of the IP address and the TCP port used.
224 Different TCP ports on the same IP address are different TCP endpoints.
226 _Token Ring_:: Identical to the Token Ring MAC-48 address.
228 _UDP_:: A combination of the IP address and the UDP port used, so different UDP
229 ports on the same IP address are different UDP endpoints.
231 _USB_:: Identical to the 7-bit USB address.
234 .Broadcast and multicast endpoints
236 Broadcast and multicast traffic will be shown separately as additional
237 endpoints. Of course, as these aren’t physical endpoints the real traffic
238 will be received by some or all of the listed unicast endpoints.
241 [[ChStatEndpointsWindow]]
243 ==== The “Endpoints” window
245 This window shows statistics about the endpoints captured.
247 .The “Endpoints” window
248 image::wsug_graphics/ws-stats-endpoints.png[{screenshot-attrs}]
250 For each supported protocol, a tab is shown in this window. Each tab label shows
251 the number of endpoints captured (e.g. the tab label “Ethernet · 4” tells
252 you that four ethernet endpoints have been captured). If no endpoints of a
253 specific protocol were captured, the tab label will be greyed out (although the
254 related page can still be selected).
256 Each row in the list shows the statistical values for exactly one endpoint.
258 _Name resolution_ will be done if selected in the window and if it is active for
259 the specific protocol layer (MAC layer for the selected Ethernet endpoints
260 page). _Limit to display filter_ will only show conversations matching the
261 current display filter. Note that in this example we have GeoIP configured which
262 gives us extra geographic columns. See <<ChGeoIPDbPaths>> for more information.
264 The btn:[Copy] button will copy the list values to the clipboard in CSV
265 (Comma Separated Values) or YAML format.
267 btn:[Endpoint Types] lets you choose which traffic type tabs are shown. See
268 <<ChStatEndpoints>> above for a list of endpoint types. The enabled
269 types are saved in your profile settings.
273 This window will be updated frequently, so it will be useful even if you open
274 it before (or while) you are doing a live capture.
278 // [[ChStatEndpointListWindow]]
282 === The “IO Graphs” window
284 User configurable graph of the captured network packets.
286 You can define up to five differently colored graphs.
288 .The “IO Graphs” window
289 image::wsug_graphics/ws-stats-iographs.png[{screenshot-attrs}]
291 The user can configure the following things:
295 - __Graph 1-5__: enable the specific graph 1-5 (only graph 1 is enabled by default)
297 - __Color__: the color of the graph (cannot be changed)
299 - __Filter__: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
301 - __Style__: the style of the graph (Line/Impulse/FBar/Dot)
305 - __Tick interval__: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
307 - __Pixels per tick__: use 10/5/2/1 pixels per tick interval
309 - __View as time of day__: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
313 - __Unit__: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced...) [XXX - describe the Advanced feature.]
315 - __Scale__: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,...)
317 The btn:[Save] button will save the currently displayed portion of the graph as one
318 of various file formats.
320 The btn:[Copy] button will copy values from selected graphs to the clipboard in CSV
321 (Comma Separated Values) format.
326 Click in the graph to select the first package in the selected interval.
331 === Service Response Time
333 The service response time is the time between a request and the corresponding
334 response. This information is available for many protocols.
336 Service response time statistics are currently available for the following protocols:
354 As an example, the DCE-RPC service response time is described in more detail.
358 The other Service Response Time windows will work the same way (or only slightly
359 different) compared to the following description.
364 ==== The “Service Response Time DCE-RPC” window
366 The service response time of DCE-RPC is the time between the request and the
367 corresponding response.
369 First of all, you have to select the DCE-RPC interface:
371 .The “Compute DCE-RPC statistics” window
372 image::wsug_graphics/ws-stats-srt-dcerpc-filter.png[{screenshot-attrs}]
374 You can optionally set a display filter, to reduce the amount of packets.
376 .The “DCE-RPC Statistic for ...” window
377 image::wsug_graphics/ws-stats-srt-dcerpc.png[{screenshot-attrs}]
379 Each row corresponds to a method of the interface selected (so the EPM interface
380 in version 3 has 7 methods). For each method the number of calls, and the
381 statistics of the SRT time is calculated.
383 [[ChStatCompareCaptureFiles]]
385 === Compare two capture files
387 Compare two capture files.
389 This feature works best when you have merged two capture files chronologically,
390 one from each side of a client/server connection.
392 The merged capture data is checked for missing packets. If a matching connection
393 is found it is checked for:
395 * IP header checksums
397 * Excessive delay (defined by the “Time variance” setting)
401 .The “Compare” window
402 image::wsug_graphics/ws-stats-compare.png[{screenshot-attrs}]
404 You can configure the following:
406 * _Start compare:_ Start comparing when this many IP IDs are matched. A zero value starts comparing immediately.
408 * _Stop compare:_ Stop comparing when we can no longer match this many IP IDs. Zero always compares.
410 * _Endpoint distinction:_ Use MAC addresses or IP time-to-live values to determine connection endpoints.
412 * _Check order:_ Check for the same IP ID in the previous packet at each end.
414 * _Time variance:_ Trigger an error if the packet arrives this many milliseconds after the average delay.
416 * _Filter:_ Limit comparison to packets that match this display filter.
418 The info column contains new numbering so the same packets are parallel.
420 The color filtering differentiate the two files from each other. A
421 “zebra” effect is create if the Info column is sorted.
425 If you click on an item in the error list its corresponding packet will be
426 selected in the main window.
429 [[ChStatWLANTraffic]]
431 === WLAN Traffic Statistics
433 Statistics of the captured WLAN traffic. This window will summarize the wireless
434 network traffic found in the capture. Probe requests will be merged into an
435 existing network if the SSID matches.
437 .The “WLAN Traffic Statistics” window
438 image::wsug_graphics/ws-stats-wlan-traffic.png[{screenshot-attrs}]
440 Each row in the list shows the statistical values for exactly one wireless
443 _Name resolution_ will be done if selected in the window and if it is active for
446 _Only show existing networks_ will exclude probe requests with a SSID not
447 matching any network from the list.
449 The btn:[Copy] button will copy the list values to the clipboard in CSV (Comma
450 Separated Values) format.
455 This window will be updated frequently, so it will be useful, even if you open
456 it before (or while) you are doing a live capture.
461 === The protocol specific statistics windows
463 The protocol specific statistics windows display detailed information of
464 specific protocols and might be described in a later version of this document.
466 Some of these statistics are described at
467 {wireshark-wiki-url}Statistics.
469 // End of WSUG Chapter Statistics