To open the Round Trip Time Graph go to “Statistics” > “TCP Stream Graphs” > “Round Trip Time”. That would mean that we suffer from a slow communication. RTT means the time between a packet is send and an answer comes back.įor our packet captures analysis it is important to understand if there are packets with a high RTT. It will absolutely help you!Ī short recap about what Round Trip Time means: In previous versions of Wireshark (v1) the overview about the “Warnings”, “Notes”, “Chats” were more clearer. Go to the “Expert” tab and select “Expert Information”. When I first analyzed a packet capture, the Expert Information was very helpful and gave me hints in which direction to analyze. In the Wireshark documentation you find following statement “Take expert infos as a hint what’s worth looking at, but not more” Wiresharks Expert Information is very useful and give you some idea of what to check in the packet capture. Probably no answer is correct, but when the packet loss is higher than 1% and is causing a high delay in the communication you should start checking better. It depends on many factors how many percent of packet loss is critical. You can see there are 10,4% packets retransmitted. I used this example to show you an extreme case. The “Displayed” column is based on your display filter and shows the statistics compared to the “Captured” data. Under the Statistics section you can see the columns “Captured” and “Displayed”. The next step is to open the “Capture File Properties” under the “Statistic” tab. It shows all the packets which were retransmitted. To do that I am using the display filter “ip.addr=173.212.216.192 and ”. When I am asked to analyze a network packet capture, it is a mandatory step to understand the percentage of packet loss (TCP Retransmissions). Since I am working on the infrastructure side my first goal is to understand if the network is behaving as it should be. Starting from now I use as an example a TCP communication between my client in my private network and the server (173.212.216.192). With just 3 packets you can get an overview about your TCP communication.įilter your packet captures to your destination address (for needed filters use my Introduction to Wireshark – Part 2) and start analyzing. Calculated Window Size => The size of data which can be received before it needs to get acknowledged.TTL => Time to live – With that value you can calculate the number of hops between Client and Server.RTT = > Round Trip Time between Client and Server.
#Wireshark packet capture steps mac#
Now the TCP communication is established and able to exchange dataĭuring the 3-Way-Handshake there is a lot of useful information exchanged between Client and Server.īeside of Source IP, Destination IP, Source Port, Destination Port, Source MAC, Destination MAC you can also get:.The Client acknowledge (ACK) the SYN packet (from the Server).The Server acknowledge (ACK) the SYN packet (from the Client) and send its own SYN packet with its Initial Sequence Number.The Client sends a SYN packet with its Initial Sequence Number to the Server.Here a short recap of how the handshake looks like: The 3-Way-Handshake is the most important step in TCP to establish a communication between client and server. Get first Information from the 3-Way-Handshake Bytes in Flight => Data which has been sent but not yet acknowledgedĪdding those columns helped me to save time in analyzing!Ģ.Delta Time => It shows the delta time to the previous captured packet.Over the time I understood that having more columns available from the beginning it will save time and helps also in troubleshooting.Īs you can see in the screenshot, I’ve added several columns. Wireshark opens your file with the “Default” profile which has the basic columns Packet Number, Time, Source, Destination, Protocol, Length, Info.