TCP Time Sequence graphs with tcptrace

Overview

In Wireshark, you may have seen TCP time sequence graphs under Statistics > TCP StreamGraph. Time sequence graphs can be useful to troubleshoot TCP flows, but the Wireshark graphs lack some of the details that tcptrace provides.

wireshark-timesequence

Boring Wireshark tcptrace time sequence graph

tcptrace-xplot

Fancy tcptrace graphed with xplot

Notice that the tcptrace/xplot version of the graph flags the SYN packet. The S around 40ms represents a SACK. The white arrows (zoomed image below) indicate packets. An arrow with a diamond at the top indicates a packet with the PSH flag set. For more details on the different markings on a tcptrace time sequence graph, refer to the manual.

SACK / packet detailed view

SACK / packet detailed view

 

Installation and usage

In order to use tcptrace on a Debian/Ubuntu, install tcptrace and xplot.

In this example, I am providing tcptrace with a pcap containing a single TCP stream. tcptrace has more advanced methods for filtering, but if you are already analyzing a flow in Wireshark, it is easy enough to export the selected stream to a separate pcap.

Using tcptrace, create the xplot .xpl files. -zxy anchors the axis at 0; -S creates the time sequence graphs.

Graph the output using xplot. I had to use the xplot.org binary as vanilla xplot would not open the files generated by tcptrace.

In addition to time sequence graphs, tcptrace will generate throughput, round trip time, owin (or “bytes in flight”), and segment size graphs. Use tcptrace with the -G flag to generate .xpls for all graph types.

I hope you enjoy your new and improved TCP graphs. They are useful for getting a high level picture of the health of a TCP stream.

Leave a Reply