Since UDP is not connection-oriented, we measure delays between requests and responses. In the upcoming labs you will examine UDP conversation statistics and two time field columns to detect delays in all UDP-based applications.
Wireshark Lab 22: Obtain UDP Conversation Statistics and Filter on a UDP Conversation Use the Conversations window to obtain basic UDP conversation statistics such as packet rate, bits-per-second rate and conversation duration.
Click the UDP tab. If you prefer seeing port numbers rather than port names, uncheck the Name Resolution option.
Step 4:
To sort UDP conversations based on traffic flowing from Address A/Port A to Address B/Port B, click twice on the bps A B column heading. The conversation between 192.168.5.11/port 25426 and 192.158.5.10/port 8000 is listed first.
Step 5:
This conversation also appears to be the most active UDP conversation based on the Bytes column value. Right–click on this conversation line and choose Apply as Filter | Selected | A B.
Before using frame.time_delta_displayed, filter on a UDP conversation so you have a
"displayed" set. Before using frame.time_delta, consider filtering on a UDP conversation and saving the conversation in a separate trace file. Interwoven UDP conversations will make it more difficult to locate delays in a single conversation.
Step 6:
Select File | Export Specified Packets and name your new file udpconv1.pcapng. Clear your display filter and close the Conversations window when you are done.
Filtering on and exporting a conversation to a separate trace file can help remove unrelated traffic from view. When you open the new single-conversation trace file, Wireshark's statistics only relate to that traffic set, often making it easier to identify performance issues.
Wireshark Lab 23: Add/Sort a Delta Time Column
The default Time column setting is Seconds Since Beginning of Capture. It is usually easier to spot delays when a time column displays delta times. Sorting on a delta time column from high to low displays the largest delays in the trace file. In this lab you will create a frame.time_delta column to indicate the arrival time from the end of one packet to the end of the next to locate high delta times.
Step 1:
Open tr-malaysianairlines.pcapng. If this file is still open from the previous lab, click the No.
column heading once to sort by frame number.
Step 2:
Expand the Frame section of any packet.
Step 3:
Right-click on the Time delta from previous captured frame line and select Apply as Column. You have now created a frame.time_delta column.
Step 4:
Your new column appears to the left of the Info column. Click and drag your new column to the right of the existing Time column.
Step 5:
The column name can be shortened by right-clicking on the column heading and selecting Edit Column Details. Consider changing the Title to Delta. Click OK.
Step 6:
Click your new Delta column heading twice to sort from high to low. If necessary, click the Go To First Packet button to jump to the top of the sorted list. The packets with the largest delays between them are located at the top of the list. (Note: In the image below, we have hidden the Time and Length columns by right-clicking on those columns and selecting Hide Column.)
There are numerous "normal" delays in this trace file. We do not care about the delays before DNS queries, TCP RST packets, or TCP FIN packets. We do care about delays before DNS and HTTP responses.
In the next lab, you will apply a display filter and use frame.time_delta_displayed to locate delays in the DNS responses.
Click the Resize All Columns button to quickly reset column widths after creating a column.
Wireshark Lab 24: Add/Sort a Delta Displayed Time Column
When you apply a filter, you can use a Delta Displayed time column to identify delays between
displayed packets. In the previous step-by-step lab, we saw DNS and HTTP packets in the trace file.
Now we will create another new time column to show the delta times of DNS traffic only.
In Wireshark 1.10.x, there is a bug in the frame.time_delta_displayed calculation. To avoid this bug, we will add our delta displayed time column using Wireshark's Preferences window and the Delta time displayed predefined column.
Step 1:
Open tr-malaysianairlines.pcapng.
Step 2:
Click the Preferences button on the Main Toolbar and then select Columns.
Step 3:
Click the Add button. In the drop-down Field Type list, select Delta time displayed. Click on the column name and change the value from New Column to Delta Displayed.
Step 4:
Click and drag your Delta Displayed column above the Source column. Click OK. You can right click on your new column heading to set left alignment, if desired.
When the frame.time_delta_displayed calculation bug is fixed, you will be able to simply right click on the Time delta from previous displayed frame line in a packet Frame section and select Apply as Column.
Step 5:
Now let's apply a filter for DNS traffic. In the display filter area, enter dns and click Apply.
Step 6:
Click twice on your new Delta Displayed column to sort from high to low. We do not care about delays before DNS queries, but we do care about delays before DNS query responses.
There are two DNS responses that are particularly "slow" in the trace file—Packet 2 and Packet 1,281. The delays may be caused when the local DNS server performs recursive queries to obtain the data because it does not have these names in its cache.
In the next lab we will graph UDP delays using a frame.time_delta_displayed filter value.
Wireshark Lab 25: Graph UDP Delays
You can use Wireshark's Advanced IO Graph with a filter and a reference to the maximum frame.time_delta_displayed value to create a picture of delays in a trace file.
Step 1:
Open tr-queuing.pcapng.
Step 2:
Select Statistics | IO Graph.
Step 3:
In the Y Axis Unit area, select Advanced...
Step 4:
This trace file contains less than 2 seconds of traffic. In the X Axis Tick Interval area, select 0.01 sec.
Step 5:
Select the MAX(*) Graph 1 Calc option and enter frame.time_delta_displayed in the Calc area.
Step 6:
Click the Graph 1 button to graph your results.
At approximately 1.2 seconds into the trace file, you can see a sudden increase in the delta time.
When you click on these points in the graph, Wireshark jumps to that point in the trace file. This enables you to do additional analysis on the trace file.
If you work on a trace file that contains TCP-based traffic, enter udp in the Graph 1 filter area before you click the Graph 1 button.
Don’t forget to close the IO Graph when you are finished.