The TCP Time Sequence Graph is one of the more professional modules. It visualize the packet TCP sequence number over time with additional information about the advertised TCP Window, retransmissions, ACK and SACK information.
This visualization is quit powerful: the rise is a indicator over the available bandwidth (the higher the gain the higher the throughput). Differences between Sequence Number and advertised window can show if the receiving application sleep too long or if the receiving stack has problems with the right buffer sizing. Retransmission (colored as red arrows) point to channel problems or packet drop and so on. One time I will write a tutorial how to interpret this extended version of Stevens Time Sequence graph.
The following image show TCP characteristic over a link with ~20% packet loss rate.
|Short option||Long option||Description|
|-f connections||--data-flow=connections||specify the number of relevant id's|
|-t timeframe||-time=timeframe||select range of displayed packet|
|-Z||--zero||start sequencenumber with 0 in graph|
|-e||--exended||visualize extended information (PSH, ECE, CRW)|
|-i||--init||create gnuplot template and makefile in output-dir|
|-o outputdir||--output-dir=outputdir||specify the output directory|
|-h||--help||print this help screen and usage info|
Per default the Time Sequence Graph will use real sequence
numbers on the Y-axis. TCP's ISN (initial sequence number) is
"randomly" chosen by the TCP stack.
("Randomly" means under Linux a function of source
port and destination port, source and destination address and
hashed with a secret. Because the ISN must monotone increase
the value is mapped in the upper bits in the ISN where the lower
bits are the system time. See section 3 of
RFC 6528 for
discussions of the ISN.) Which leads often in hard readable
numbers on the axis. The Zero Option (
--zero) will set the initial sequence number to 0
and shift all successive sequence and ACK numbers by this
delta. This includes TCP SACK (Selective ACK) numbers as well
as the advertised window.
Nice effect of this option: it is instantly visible how much data was transmitted over time. The following image show a graph, generated w/o zero option on the left hand side and on the right hand side a graph with zeroize enabled. As you can see, approx 1.4MB are transfered.
This option stop your boss asking what the large numbers on the y-axis mean! ☺
The Timeframe option provides a way to zoom into the relevant parts of the trace. To limit the graph from 8.1 seconds to 9.5 seconds the following captcp command can be used:
captcp timesequence -i -o timesequence-dir -t 8.1:9.5 -f 1.1 upload-2MB.pcap cd timesequence make png
The extended option (since Captcp v1.1-12-g45ad170) show additional TCP packet information:
The Push flag is visualized with a arrow in the data direction - just as a push toward the data: ⇒. ECE and CWR are visualized in the opposite directory: ⇐, like a marker "stopping" the data flow. The option is by default disabled because the plot can be rather overloaded and is rarely beneficial. Note that CWR marker is visualized a little bit darker: , where ECE marker is colored in plain green: