Ethereal-dev: Re: [Ethereal-dev] TCP Seq graph and users' guide.
On Mon, Nov 18, 2002 at 01:01:47PM -0700, John McDermott wrote:
> All,
> I recently received a query about how to interpret the Time-Sequence
> Graph (Stevens). I thought, "Well, rtfm...". Looking at the users quide
> for the tools menu
> (http://www.ethereal.com/docs/user-guide/ch03toolssection.html) despite
> saying that it is for 0.9.7, it does not have "TCP Stream Analysis" in
> the screen capture or the text.
>
> Absent material in the documentation, can someone tell me how to
> interpret this? I don't use that feature so I'm a bit unsure.
X-axis is time, counted from beginning of the capture or beginning of
the particular TCP connection (configurable from the GUI). Y-axis is
sequence number, possibly with ISN subtracted for better idea how much
data has been transferred by the connection so far. This is
configurable from the GUI, too.
For each segment of the connection, a dot is drawn into the graph. Time
of the segment's arrival is extracted from the packet list and it
determines x-coordinate of the dot. Similarly, sequence number
determines the dot's y-coordinate (possibly after subtracting the
initial sequence number as mentioned above).
As for interpretation: since the graph shows how number of transferred
bytes changes with time, its first derivation shows the transfer rate at
any moment. For a TCP connection with a constant transfer rate (a
desirable scenario) the graph should be a straigh line, the bigger its
slope the higher the transfer rate of the connection. The dots should
create a non-descending polyline - if they don't, then there was a
retransmission. In other words, no dot should live to the southeast
from any other dot. If it does, that means a retransmission.
I'm not sure if there's much more information to be extracted from this
simple type of graph. This type of graph should be used for cursory
examination only where the much more informative tcptrace-style graph
can be confusing (exactly by the sheer amount of info it contains). I
included this graph style because it's simple and it's used by Stevens
in his TCP/IP Illustrated masterworks for examining time/sequence number
dependencies. For a more serious analysis tcptrace-style graph should
be used.
HTH, if not, please don't hesitate to ask.
pvl