One of Wireshark’s strengths is its statistical tools. When using Wireshark, we have various types of tools, starting from the simple tools for listing end-nodes and conversations, to the more sophisticated tools such as flow and I/O graphs.
In this article, we will look at the simple tools in Wireshark that provide us with basic network statistics i.e; who talks to whom over the network, what are the chatty devices, what packet sizes run over the network, and so on.
To start statistics tools, start Wireshark, and choose Statistics from the main menu.
In this recipe, we will learn how to get general information from the data that runs over the network. The capture file properties in Wireshark 2 replaces the summary menu in Wireshark 1.
Start Wireshark, click on Statistics.
What you will get is the Capture File Properties window (displayed in the following screenshot).
This menu simply gives a summary of the filtered data properties and the capture statistics (average packets or bytes per second) when someone wants to learn the capture statistics.
In this recipe, we will learn how to get protocol hierarchy information of the data that runs over the network.
Start Wireshark, click on Statistics.
What you will get is data about the protocol distribution in the captured file. You will get the protocol distribution of the captured data.
What you will get is the Protocol Hierarchy window:
In this file example, we can see two interesting issues:
Simply, it calculates statistics over the captured data. Some important things to notice:
In this recipe, we will learn how to get conversation information of the data that runs over the network.
Start Wireshark, click on Statistics.
From the Statistics menu, choose Conversations:
The following window will come up:
You can choose between layer 2 Ethernet statistics, layer 3 IP statistics, or layer 4 TCP or UDP statistics.
You can use this statistics tools for:
If you see that there is a lot of traffic going out to port 80 (HTTP) on a specific IP address on the internet, you just have to copy the address to your browser and find the website that is most popular with your users.
If you don’t get anything, simply go to a standard DNS resolution website (search Google for DNS lookup) and find out what is loading your internet line.
For viewing IP addresses as names, you can check the Name resolution checkbox for name resolution (1 in the previous screenshot). For seeing the name resolution, you will first have to enable it by choosing View | Name Resolution | Enable for Network layer.
You can also limit the conversations statistics to a display filter by checking the Limit to display filter checkbox (2). In this way, statistics will be presented on all the packets passing the display filter.
A new feature in Wireshark version 2 is the graph feature, marked as (5) in the previous screenshot. When you choose a specific line in the TCP conversations statistics and click Graph…, it brings you to the TCP time/sequence (tcptrace) stream graph.
To copy table data, click on the Copy button (3). In TCP or UDP, you can mark a specific line, and then click on the Follow Stream… button (4). This will define a display filter that will show you the specific stream of data. As you can see in the following screenshot, you can also right-click a line and choose to prepare or apply a filter, or to colorize a data stream:
We also see that, unlike the previous Wireshark version, in which we saw all types of protocols in the upper tabs, here we can choose which protocols to see when only the identified protocols are presented by default.
A network conversation is the traffic between two specific endpoints. For example, an IP conversation is all the traffic between two IP addresses, and TCP conversations present all TCP connections.
In this recipe, we will learn how to get endpoint statistics information of the captured data.
Start Wireshark and click on Statistics.
To view the endpoint statistics, follow these steps:
In this window, you will be able to see layer 2, 3, and 4 endpoints, which is Ethernet, IP, and TCP or UDP.
From the left-hand side of the window you can see (here is an example for the TCP tab):
At the bottom of the window we have the following checkboxes:
Quite simply, it gives statistics on all the endpoints Wireshark has discovered. It can be any situation, such as the following:
We learned about Wireshark’s basic statistic tools and how you can leverage those for network analysis. Get over 100 recipes to analyze and troubleshoot network problems using Wireshark 2 from this book Network Analysis using Wireshark 2 Cookbook – Second Edition.
Wireshark for analyzing issues & malicious emails in POP, IMAP, and SMTP [Tutorial]
At Packt, we are always on the lookout for innovative startups that are not only…
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…