Using the flow graph feature on Wireshark

Scott Reeves demonstrates the flow graph feature of the Wireshark tool, which can help you check connections between client server, finding timeouts, re-transmitted frames, or dropped connections.

I posted a few weeks ago about using Wireshark to inspect packets on your network. This post is about another nice feature of Wireshark, namely, the flow graph. This can assist you in seeing whether there are any issues on the network such as dropped frames, timeouts or dropped connections.

To begin with, I ran a jperf session between a client and a server and used Wireshark to capture the packets.  This capture is the same type of capture I used in the post "Using jperf and Wireshark to troubleshoot network issues". In a future post I will cover using the utilities tc and iptables to simulate packet loss. In this example, we confine ourselves to a small network with no packet loss to speak of.

It is necessary to extract the IP address of the sending host, otherwise you will get flooded with other packets that are not part of the specific connection you are checking. Once you filter on an IP address, you can then extract just the TCP packets directed to and from that IP address. For this example, I used the filter ip.addr== and clicked Apply.

From there, you can do the next trick, which is to look at the flow graph of a TCP connection. The flow graph feature shows a sender and a receiver view of the packet flow. It is pretty simple to bring up the flow graph. Firstly, you should locate the start of the connection. In this case, I wanted to check the connection from start to finish, so I picked the first SYN packet. Then (on the main menu) you can click on Statistics, then down to Flow Graph. Figure A shows the initial steps.

Figure A

Click to enlarge.
From the popup window, select Display Packets, TCP Flow, and Standard source/destination address. Click OK and the graph will appear as shown in Figure B.

Figure B

click to enlarge.
Figure B shows the connection initiation process between the server and the client. Once the connection is established, the data frames start to flow. The essential details of a frame are shown in the flow graph. We can see, for instance, the time of transmission, the size of the frame, the sequence number of the frame and the TCP ports used for the connection. You can also step through the graph to the end and see if there are any re-transmits due to packet loss or timeouts. A further feature of Wireshark is that you can save the flow graph in text file format. As a long term (or maybe long time) CLI user, this is a feature I particularly like. The actual data is the same, but the text file is quite easy to use as a substitute for a picture file. Of course, not everyone is the same, and many people prefer the GUI graph. Figure C is a sample of how the text data file looks.

Figure C

Click to enlarge.

The flow graph feature can provide a quick and easy to use way of checking connections between a client and a server. It can show where there might be issues with a TCP connection, such as timeouts, re-transmitted frames, or dropped connections.


Scott Reeves has worked for Hewlett Packard on HP-UX servers and SANs, and has worked in similar areas in the past at IBM. Currently he works as an independent IT consultant, specializing in Wi-Fi networks and SANs.

Editor's Picks