I'm relatively new to tcp analysis and I have a strange example where the window size green graph seems totally uncorrelated to the other bytes in flight (blue) / acknowledge (brown) graphs which is unlike in your example. Also in the trace I have the bytes in flight are always displayed along the brown graph. What is the explanation to what I'm seeing?
Hey Chris! That was very interesting and insightfull. Is there a set of books and/or courses you recommend for people wanting to further their knowledge on the wireshark/packet analysis game? I dream of a day that I'm like the Yoda of packet captures and I can see issues like Neo on the Matrix! Thanks for sharing!
Hey Rafael - Yes! You should check out my courses on Pluralsight. I have four of them - video courses with hands-on labs and demonstrations that you can follow along with. Here is the link to one of them - app.pluralsight.com/library/courses/troubleshooting-slow-networks-wireshark/table-of-contents I would recommend these to get you started. Hope they help you along your path to being a true Packet Jedi!
Hi Chris. Many thanks for the detailed explanation on this graph which help me understand it alot. I do have a question. I got a trace where the data points is actually way above the receive window and not within it. This customer of mine is also having slow throughput. Is also a case of not enough receive window buffer?
Hello Sam - I would need to take a look at the graph in order to tell. There could be lots of things causing the slowness. If you want you can send me a screenshot to packetpioneer (at) gmail.com
Awesome contents, I've a question if you don't mind; QUIC runs on UDP so that it's not possible to analyze it as a graph. Is there a way to graph QUIC packets in WireShark?
Hi Sabit, as you mention, at this time, we don't have stream graphs for QUIC (yet). You would need to use the I/O graphs and display filters to generate your own custom graphs. Are you just looking for utilization? Or util per stream?
No such thing as a dumb question! It's actually a very good one. In most operating systems there is usually a deep setting where it can be adjusted, along with the scale factor. I would just google your specific operating system and dig for "adjust receive window size" and usually you can find a developer forum where those kinds of questions are being asked. Sorry to boot you to google! But there is a huge variation on how to do it by OS.
Thank you for the video! I just started to learn wireshark and needed some good and free resources with some .pcap files to practice. Thank you really much! one question which I did non find on google. How to change the color of selected packet to something like yours green? in coloring rules I found only filters, but I don't want filters, just selected packet.
For an individual packet in a trace that is not a part of a general conversation that I want to color I usually just Mark the packet. Right click it and select Mark/Unmark packet. That will color it black. If you are looking for something in every trace that is very specific, then we would use a coloring rule with a filter for something unique on that packet. Hope that helps!
@Chris a big fan of your work! One question, how you have moved the hex window to the right side, so you can see different layers and its corresponding hex data?
Hey @shah! Thanks for reaching out. You can do that in the Layout section of the Preferences. You can access the preferences under the "Edit" menu on a Windows machine, or under the Wireshark menu on a Mac. Layouts let you adjust the packet list, detail, and bytes view.
Hello, can you help me understand the question a little better? Are you asking about what a TCP stream is? Basically it is one and the same as a connection - and the tcptrace graph plots the increase in sequence numbers in one direction over time. I hope that helps.
at 0:48" I didn't quite get how you can state that the capture was made on 192.168.0.1 ? how would it look like if it was captured on 10.0.0.1 ? Fantastic video otherwise !! Thanks
Hey, thanks for the comment and the question! Keep in mind that those packets are in the outbound direction, that side of the connection is not receiving data, it is sending it. So the calculated window size does not change because that side of the conversation is sending data. Also - even if it was receiving data, if the window size does not drop, that simply means that the receiver is able to process data out of the TCP buffer as fast as it is coming in - keeping the TCP window size the same.
I have learnt about wireshark and tcp from you more than anyone else...thank you bro
Same feelings here...
Thanks Mangal! I have more content in store so please stay tuned!
@@ChrisGreer we shall stay tuned and share this beautiful content
You have no idea how much this helps me in my daily loss.. wish i knew this sooner
It's a great graph isn't it! Enjoy
Awesome... I'm partionated by TCP and your are doing something very great.. thx for the VID..
Thank you. I learned something new!
Using the stream graphs is so much easier than just scrolling through the trace. Thanks for this explanation Chris!
Thanks John! Agreed.
This is the first time that I watch Chris, and it was a fantastic video🤩. The way you explain it is so clear and straightforward-amazing👌
Glad you enjoyed it! Thank you for the comment.
Thank you, great explanation. Wireshark is very complicated. Waiting for more of your videos.
More to come! Thanks.
Great Intro to tcp-trace. Cheers.
Great explanation.....Thanks!
Good stuff Chris!
Great 👍 explanation as always. Thanks you Chris.
My pleasure!
Thank you very much. This video really helps me to know how tcp trace works.
It is very clear. Thank you~
Glad it was helpful!
Thank you, great video. It explained so much to me.
Glad you liked it!
New to your videos , very impressed detailed explanation.
Thanks Ferrari! Happy to have you around. Make sure to like and subscribe for more TCP and Wireshark
This is great helpful video. Thanks Chris
Glad it helps J, thanks for the comment!
Wow this is amazing. Thank you so much!
Glad it helped you! Thanks for the comment.
Mind blowing !!
These videos are great 😍👌
Glad you like them!
@@ChrisGreer Chris I work as network engineer RnS , these videos helped me a lot
Whay steps shoul I take in my career now ,, network security ?
I'm relatively new to tcp analysis and I have a strange example where the window size green graph seems totally uncorrelated to the other bytes in flight (blue) / acknowledge (brown) graphs which is unlike in your example. Also in the trace I have the bytes in flight are always displayed along the brown graph. What is the explanation to what I'm seeing?
Hey Chris! That was very interesting and insightfull. Is there a set of books and/or courses you recommend for people wanting to further their knowledge on the wireshark/packet analysis game? I dream of a day that I'm like the Yoda of packet captures and I can see issues like Neo on the Matrix! Thanks for sharing!
Hey Rafael - Yes! You should check out my courses on Pluralsight. I have four of them - video courses with hands-on labs and demonstrations that you can follow along with. Here is the link to one of them -
app.pluralsight.com/library/courses/troubleshooting-slow-networks-wireshark/table-of-contents
I would recommend these to get you started. Hope they help you along your path to being a true Packet Jedi!
Hi Chris. Many thanks for the detailed explanation on this graph which help me understand it alot. I do have a question. I got a trace where the data points is actually way above the receive window and not within it. This customer of mine is also having slow throughput. Is also a case of not enough receive window buffer?
Hello Sam - I would need to take a look at the graph in order to tell. There could be lots of things causing the slowness. If you want you can send me a screenshot to packetpioneer (at) gmail.com
Awesome contents, I've a question if you don't mind; QUIC runs on UDP so that it's not possible to analyze it as a graph. Is there a way to graph QUIC packets in WireShark?
Hi Sabit, as you mention, at this time, we don't have stream graphs for QUIC (yet). You would need to use the I/O graphs and display filters to generate your own custom graphs. Are you just looking for utilization? Or util per stream?
@@ChrisGreer thanks for answering, it'll be only for utilization I'll be checking I/O graphs as you highlighted.
Hey Chris...dumb question but how do you enlarge the receivers window?
No such thing as a dumb question! It's actually a very good one. In most operating systems there is usually a deep setting where it can be adjusted, along with the scale factor. I would just google your specific operating system and dig for "adjust receive window size" and usually you can find a developer forum where those kinds of questions are being asked. Sorry to boot you to google! But there is a huge variation on how to do it by OS.
Thank you for the video! I just started to learn wireshark and needed some good and free resources with some .pcap files to practice. Thank you really much!
one question which I did non find on google. How to change the color of selected packet to something like yours green? in coloring rules I found only filters, but I don't want filters, just selected packet.
For an individual packet in a trace that is not a part of a general conversation that I want to color I usually just Mark the packet. Right click it and select Mark/Unmark packet. That will color it black. If you are looking for something in every trace that is very specific, then we would use a coloring rule with a filter for something unique on that packet. Hope that helps!
Thank you!
You're welcome!
@Chris a big fan of your work! One question, how you have moved the hex window to the right side, so you can see different layers and its corresponding hex data?
Hey @shah! Thanks for reaching out. You can do that in the Layout section of the Preferences. You can access the preferences under the "Edit" menu on a Windows machine, or under the Wireshark menu on a Mac. Layouts let you adjust the packet list, detail, and bytes view.
@@ChrisGreer Sweet! Thanks a lot, Chris!
can u explain what happens and the process goes on if i increase the stream here or what is stream no and how it works here
?
Hello, can you help me understand the question a little better? Are you asking about what a TCP stream is? Basically it is one and the same as a connection - and the tcptrace graph plots the increase in sequence numbers in one direction over time. I hope that helps.
at 0:48" I didn't quite get how you can state that the capture was made on 192.168.0.1 ? how would it look like if it was captured on 10.0.0.1 ? Fantastic video otherwise !! Thanks
How the calculated window size will be same from frame 3788 to 3799??? I am confused in that part
Hey, thanks for the comment and the question! Keep in mind that those packets are in the outbound direction, that side of the connection is not receiving data, it is sending it. So the calculated window size does not change because that side of the conversation is sending data. Also - even if it was receiving data, if the window size does not drop, that simply means that the receiver is able to process data out of the TCP buffer as fast as it is coming in - keeping the TCP window size the same.
I'm running wireshark 3.2.2 and in my tcptrace graph I only see the brown and green lines, not the data in between... Any idea what's causing that?
To answer my own question.. this is bug #16281 ... Fix in wireshark 3.2.3 :-)
@@redaxxx Gotcha - glad you found the bug. I saw that too in that version. Should be all set now.