Monitoring Bandwidth Usage: Wireshark's Essential Guide

Bandwidth is the maximum rate at which data can be transferred from one point to another within a specific time frame. Monitoring bandwidth usage is important for network administrators to ensure optimal performance and to troubleshoot issues. Wireshark is a popular open-source tool for capturing network packets and converting them into a human-readable binary format, offering detailed insights into network performance.

Wireshark has multiple methods for monitoring bandwidth usage, including the I/O Graphs function, which displays bandwidth usage in the number of packets, and the Statistics Summary, which provides the average bandwidth usage. This article will provide a step-by-step guide on how to use Wireshark to monitor bandwidth usage, covering topics such as capturing packets, applying filters, and interpreting the data provided by Wireshark's various tools.

Using Wireshark's I/O Graphs

Wireshark's I/O Graphs window is a powerful tool for monitoring bandwidth usage and offers multiple ways to visualise and analyse network data.

To access the I/O Graphs, follow these steps:

• Stop packet capturing from the interface.
• Navigate to the Statistics menu and click on I/O Graphs.
• By default, you will see your bandwidth usage in the number of "packets".
• Customise the graph by changing the "Y Axis" value to your desired unit of measurement, such as "Bits" for bits per second.

The I/O Graph window provides a clear visualisation of bandwidth consumption during a file transfer. It also allows for customisation to suit your specific needs. For instance, you can add multiple rows and apply display filters to compare traffic between two IPs, helping you gain a better perspective on your bandwidth usage.

Additionally, Wireshark's Statistics menu offers other valuable tools, such as the Endpoints window, which helps identify the top bandwidth consumers by displaying layer 2, 3, and 4 endpoints. This can be especially useful when you need to pinpoint applications or clients that are utilising the most bandwidth and affecting network performance.

Wireshark's I/O Graphs provide a detailed and flexible way to monitor and analyse bandwidth usage, making it a valuable tool for network administrators and anyone seeking in-depth insights into their network traffic.

Understanding the Protocol Hierarchy

The "Protocol Hierarchy" window in Wireshark is a tree of all the protocols in the captured packets. It is a useful way to understand the protocols in use and determine the goal of the communication.

The "Protocol Hierarchy" window displays the following information:

• Protocol: The name of the protocol.
• Percent Packets: The percentage of protocol packets relative to all packets in the capture.
• Packets: The total number of packets that contain this protocol.
• Percent Bytes: The percentage of protocol bytes relative to the total bytes in the capture.
• Bytes: The total number of bytes of this protocol.
• Bits/s: The bandwidth of this protocol relative to the capture time.
• End Packets: The absolute number of packets of this protocol where it was the highest protocol in the stack.
• End Bytes: The absolute number of bytes of this protocol where it was the highest protocol in the stack.
• End Bits/s: The bandwidth of this protocol relative to the capture time where it was the highest protocol in the stack.
• PDUs: The total number of PDUs of this protocol.

Each row in the "Protocol Hierarchy" window contains the statistical values of one protocol. The "Percent Packets" and "Percent Bytes" columns also serve as bar graphs. If a display filter is set, it will be shown at the bottom.

The "Protocol Hierarchy" window is particularly useful when dealing with large capture files. It can help build a snapshot of roles and functions, especially when the capture is focused on a single host. For example, the presence of SMTP and IMAP protocols indicates the sending or receiving of mail, while HTTP and DNS data suggest web browsing activity.

The "Protocol Hierarchy" window can be accessed by selecting "Statistics" -> "Protocol Hierarchy" in the Wireshark menu or toolbar.

Applying Display Filters

Display filters are used to filter already-recorded data. They are useful when you are analysing large files and a considerable amount of data. They help administrators find specific network data out of thousands of packets travelling through the network every second.

To apply a display filter in Wireshark, first identify a packet belonging to the network flow you are interested in. Then, right-click on it and select 'conversation filter' and then 'IP/TCP'. This will isolate the IP/TCP traffic of interest.

You can also use display filters to narrow down the list of options and find relevant information when viewing network statistics.

Display filters can be used to isolate the traffic you are interested in and to provide more granular display options for greater clarity.

Using the Summary Statistics

To use the Summary Statistics feature in Wireshark to monitor bandwidth usage, follow these steps:

• Start packet capturing: Open Wireshark and select the interface you want to capture packets from. This is usually the network interface you are using to connect to the device or service you want to test.
• Initiate the activity: Start the activity or service you want to test. For example, if you want to test HTTP bandwidth, open a web browser and navigate to a site from where you can download large files.
• Stop packet capturing: Once the download or activity is complete, stop the packet capture in Wireshark.
• Apply display filters: Right-click on a packet belonging to the network flow you are interested in and select "Conversation Filter" > "IP / TCP". This will help isolate the IP and TCP traffic for analysis.
• View Summary Statistics: Go to "Statistics" > "Summary" in the Wireshark menu. Here, you will see the display filter and the bandwidth used during the captured packets. Note that there may be a slight discrepancy between the bandwidth used in the captured packets and the displayed packets due to the average speed calculation.
• Analyze the results: The Summary Statistics window will provide information such as the number of packets, bytes, and the average packet size. It will also display the bandwidth usage in Megabits per second (Mbps) near the bottom of the summary window. Compare this value to your expected or allotted bandwidth to understand your usage better.

By following these steps, you can utilize Wireshark's Summary Statistics feature to gain insights into your bandwidth usage, identify discrepancies, and make informed decisions about your network utilization.

Visualising with IO Graphs

The IO Graphs window in Wireshark allows you to plot packet and protocol data in a variety of ways. To access the IO Graphs window, go to the Statistics menu and select IO Graphs.

The window contains a chart drawing area and a list of customisable graphs. Graphs are saved in your current profile and are divided into time intervals, which can be set as desired.

To set up a graph, follow these steps:

• Go to the Statistics menu and click on IO Graphs.
• Click on the graph you want to work with to add a display filter.
• Use the style column to choose the type of graph you want to use to display your packet data. You can choose from Line, FBar, Dot, or Impulse.
• Modify the X and Y-axis metrics as needed.
• Save the graph in a file format for future reference.

You can also customise the graph structure and apply filters and colour codes to find relevant information. Multiple graphs can be activated simultaneously, but Wireshark's default settings only display one graph at a time.

The Y-axis value can be set to Packets, Bytes, or Bits, and the X-axis tick can be left at 1 sec to get the bytes/sec.

The IO Graphs window also allows you to calculate the summary statistics of packet data, including SUM, MAX, MIN, and AVG.

Frequently asked questions