TCP time-sequence graphs based on the UNIX tcpdump
command provide us with additional data on the connection that we monitor. In addition to the standard sequence/seconds in Time-Sequence (Stevens), we also get information on the ACKs that were sent, retransmissions, window size, and more details that enables us to analyze problems on the connection.
Open an existing capture or start a new capture. Click on a specific packet in the capture file. Even though you can use this feature on a running capture, it is not meant for online statistics; so it is recommended that you start a capture, stop it, and then use this tool.
To view TCP stream graph statistics, perform the following steps:
The graph shows the advance of byte transfer over time in the lower black graph and the window size in the upper gray graph. When there is space between the two, it means that there is some TCP buffering left and TCP will transfer bytes. Once they get closer and touch each other, it would be a window-full phenomenon that does not enable further data transfer.
You can see that in the packet capture, there is a frame in time 1,273 (seconds after the beginning of the capture), a break, a packet in time 1,386, a break, and a packet in 1499.
In the TCP stream graph you see the breaks in transmission, and we can look for its reason when we are back to the packets pane.
The Time sequence (TCP-trace) graph is taken from the UNIX tcpdump
command, which also checks the window size published by the receiver (this is the buffer size allocated by the receiver to the process), along with retransmitted packets and ACKs.
Working with this graph provides us with a lot of information, which we will use later for network debugging. The phenomena from a window that is being filled faster than expected to a lot of retransmissions and others will become visual with this graph that will help us to solve them.
The more we zoom in, the more details we will get as shown in the following screenshot:
A bar is an indication of a packet that carries data between the initial and final sequence numbers. The bar that is not in the regular graph and looks like it runs away from it is a retransmission and the gray bar is a duplicate ACK. We will learn about these phenomena in Chapter 9, UDP/TCP Analysis.
18.224.34.205