TCP Time Sequence graphs with tcptrace


In Wireshark, you may have seen TCP time sequence graphs under Statistics > TCP StreamGraph. Time sequence graphs can be useful to troubleshoot TCP flows, but the Wireshark graphs lack some of the details that tcptrace provides.


Boring Wireshark tcptrace time sequence graph


Fancy tcptrace graphed with xplot

Notice that the tcptrace/xplot version of the graph flags the SYN packet. The S around 40ms represents a SACK. The white arrows (zoomed image below) indicate packets. An arrow with a diamond at the top indicates a packet with the PSH flag set. For more details on the different markings on a tcptrace time sequence graph, refer to the manual.

SACK / packet detailed view

SACK / packet detailed view


Installation and usage

In order to use tcptrace on a Debian/Ubuntu, install tcptrace and xplot.

In this example, I am providing tcptrace with a pcap containing a single TCP stream. tcptrace has more advanced methods for filtering, but if you are already analyzing a flow in Wireshark, it is easy enough to export the selected stream to a separate pcap.

Using tcptrace, create the xplot .xpl files. -zxy anchors the axis at 0; -S creates the time sequence graphs.

Graph the output using xplot. I had to use the binary as vanilla xplot would not open the files generated by tcptrace.

In addition to time sequence graphs, tcptrace will generate throughput, round trip time, owin (or “bytes in flight”), and segment size graphs. Use tcptrace with the -G flag to generate .xpls for all graph types.

I hope you enjoy your new and improved TCP graphs. They are useful for getting a high level picture of the health of a TCP stream.

Leave a Reply