Understanding the tcptrace Time-Sequence Graph in Wireshark

Understanding the tcptrace Time-Sequence Graph in Wireshark – PacketBombhttps://packetbomb.com/understanding-the-tcptrace-time-sequence-graph-in-wireshark/

If I’m troubleshooting a performance issue, one of the first tools I reach for in Wireshark is under Statistics > TCP StreamGraph > Time-Sequence Graph (tcptrace). At a glance I can tell if this is going to be an easy one to analyze or if I’m gonna have to roll up my sleeves and dive in deeper.

I’ll be showing you how to use the time sequence graph in my next video, but for now let’s talk about how to interpret the lines and colors and markings.

The Time-Sequence graph shows a data stream over time. By definition, a stream is moving in one direction. So if a client is downloading a file from an FTP server you must click on a packet from the server before generating the graph. Again, it is only showing you data flowing in one direction.

Here’s a zoomed in screencap with some annotations:

The x-axis is time. So this shows seconds e.g. 2.35 seconds. The y-axis is TCP sequence numbers. Sequence numbers are representative of bytes sent. The sequence number increases by 1 for every 1 byte of TCP data sent. Ideally you’d want to see a smooth line going up and to the right. The slope of the line would be the theoretical bandwidth of the pipe. The steeper the line, the higher the throughput.

The little black I-beams represent TCP data segments. The longer the I-beam, the more data per packet. The gray line below that are the ACKs from the receiver. The distance between the ACKs and the TCP data at a given point in time represents the bytes in flight. So if at 2.35 seconds the server is sending byte 40,400,000 and receives at ACK for 40,000,000, then there are 400,000 unacknowledged bytes in flight. (I added the red line and blue tick marks at 2.35; it’s not part of the graph)

The top line represents the calculated receive window of the client. This is the ACK number plus the current advertised receive window. If the current ACK is 40,000,000 and the advertised receive window is 1,200,000 then the calculated receive window will be at 41,200,000. The distance between the current TCP sequence number (40,400,000) and the calculated receive window (41,200,000) is how much data the client can buffer (800,000).

Ok, that covers the basics. Here’s a few more things:

We still have the TCP segment data and the ACKs represented as before. Now we have two new things in regards to data loss and recovery. Duplicate ACKS are represented as small ticks on the underside of the ACK line. SACK blocks are the blue lines above the tick marks i.e. dup ACKS.

A few quick items to note:

• You can use the ‘i’ key to zoom in at the current mouse position
• You can use the ‘o’ key to zoom out from the current mouse position
• You can right click hold and drag around the graph
• You can left click hold and drag a rectangle to zoom in on a region
• You can single left click on a segment or ACK to go to that packet in the pcap (very useful)

I’ll go over this in further detail in the next video. If you’re not sure what advertised receive windows, dup ACKS, or SACK blocks are, no worries, it will all be revealed in good time. Bookmark this page and reference it in the future.

If you have any tips or tricks for the tcptrace Time-Sequence graphs, leave a comment!

If you’d like to see some examples of good and bad time-sequence graphs, subscribe to the newsletter and get access to the additional videos.