Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Graphing IP DSCP and other fields

From: "Sebastian" <spa@xxxxxxxxxxxx>
Date: Wed, 16 Apr 2008 20:50:59 +0100
Title: Graphing IP DSCP and other fields

Hi all,

Is there a better way of graphing IP DSCP then using an IO graph?  The IO graph suffers from two disadvantages compared with the ideal statistics tool:

1.  Since the IO graph cannot automatically graph different values of the same field, one has to put in for example:
ip.dsfield.dscp == 46
Into one graph, then
ip.dsfield.dscp == 34
Into another graph, etc. for all the DSCP numbers you want to graph, which will probably include 0 and perhaps total IP traffic.  (a) this is rather tedious, and (b) there are only 5 graphing slots available and there are 21 relatively commonly used DSCP values (including the ToS ones), plus a lot more 'user-configurable' ones.

2.  There is no way of saving (and loading) groups of IO graphing criteria together.

Of course, IO graphs could benefit from enhancements in these two areas (for graphing many, many things)…  For example, in the case of automatically graphing all values of a field, adding a checkbox that works when you don't have an operator / 'relation' in the filter _expression_ called something like 'Graph values separately' that ungroups the values of the field and draws lines for each one.  Or a special 'relation' that does this ungrouping (so that you can still filter on other things).  The problem I see with both these is that extra colours would have to be dynamically assigned to the resulting graphs, so maybe there is a better solution.

A pie chart for graphing fields would probably also be useful, e.g. if you want to see the relative bandwidth by DSCP, or CoS, or VLAN ID, aggregated over time.

One usage scenario for these graphs is monitoring the bandwidth used by various groups of services, and ensuring good QoS (DiffServ) behaviour of a network.

But I'm pretty new to Wireshark, so, of course, I may have missed some of its capabilities.  Please enlighten me if so.

Many thanks,

SPA