Packet Analysis


5 min read

The CloudShark decoder window provides several graph options. From the decoder window press the Graphs button.

The default graph presented is bandwidth over time. Any previously saved graph can have its properties adjusted by using the Edit button; it is an identical operation to edit the default graph or to create a new one.

Viewing a Graph

When you are viewing a graph, the graph is aware of the mouse cursor and enables it as a selection tool. If you drag across the graph, you will define a zoom range and the graph will redraw itself with the new range. You can always resume viewing the entire range by clicking the Zoom All button.

Editing a Graph

Each graph has several properties that can be adjusted. You must have the appropriate permissions to edit and save graphs.

The timing interval is adjustable, with larger values simply aggregating samples into less specific time ranges. If you select a very large interval, all of the packets within it are represented by a single data point. Reducing the interval will increase the data points to match the resolution you have selected. CloudShark will artificially limit the interval value if the number of packets would pose an unreasonable processing requirement.

The Y-axis units always represent a quantity. This is selectable as:

  • Packets
  • Bytes
  • Bits
  • Value
  • Packets/second
  • Bytes/second
  • Bits/second

The default time range is the delta spanning from the time the first packet is recorded, i.e. relative time. You can switch this to the absolute time recorded in the capture file.

Annotations are also displayable in the graph, and will be visually associated with the packet they represent.

You can select multiple views of the information within the graph, each overlayed with the previous. New views are defined by Display Filters. Identical to the display filters used in the Decoder window, you can specify a subset of the capture file’s total packet list to create your desired view. A simple example would be adding a second Display Filter on ‘icmp’, which will show you an overlay of the ICMP packets in the file. A user could get a visual representation of an ICMP flood attack very easily using this method of stacking views together.

Various visual filling techniques are available - you may select from columns, lines, slines, areas, et cetera. In addition, labels can be assigned to each data series by appending the label to the end of the display filter within curly braces. For example, if the display filter for your first data series is ip.addr==, you could add a label of “host 1” as follows: ip.addr== {host 1}. This feature is useful if you have large display filters which can be cumbersome and difficult to interpret when used in a graph.

Graph Functions

There are a number of functions available when viewing a graph of a capture file. The available functions are:

  • SUM(field)filter - The values of a field added together
  • MIN(field)filter - The minimum value of a field
  • AVG(field)filter - The average value of a field
  • MAX(field)filter - The maximum value of a field
  • COUNT(field)filter - The number of packets with a given field

Each of these functions plots the information above during the Time Interval specified while editing a graph. The Y-Axis units must also be specified as value to plot these functions.

The specified field MUST also be part of the filter as well. For example if you wanted to graph maximum time between tcp frames you would need to use the following:

MAX(frame.time_delta)frame.time_delta && tcp

Entering MAX(frame.time_delta)tcp would not work since frame.time_delta is not explicitly part of the filter.

Saving and Sharing

When you have completed your desired settings, you can save the graph. You are always able to return to the graph later and edit these settings. A graph should be given a descriptive title so that others you share your file with can easily determine its purpose.

Once saved, the graph will be accessible directly through its URL, so you can share the results of your graphical analysis directly with others.

Managing Sets of Graphs

From the Decoder window, you can load a Graph and then ‘Open in a new window’ to gain an enhanced graph viewer. This page provides a Graph Index, which allows you to quickly edit and delete all of the saved graphs for a capture file. If you edit a graph, you can save the new settings, or create a new graph.

Exporting and Printing Graphs

You can print your graphs by clicking the ‘Print’ button or save them as an image file with the ‘Export as’ button at the top of each graph. Graphs can be exported to the following formats: .png (Portable Network Graphics), .pdf (Adobe PDF), or .svg (Scalable Vector Graphics).

Adding Labels

User defined labels can be added to each series plotted on the graph. These labels will then be used in the graph legend in place of the display filter. This feature is very handy when dealing with series generated by long display filters. To apply a label to a series, just append the label in curly braces to the display filter, ie if the display filter for a series is tcp.analysis.retransmission the label TCP Retrans can be added by modifying the display filter to be tcp.analysis.retransmission {TCP Restrans}.