To use a display filter with tshark, use the -Y 'display filter'. Introduction to Display Filtersĭisplay filters allow you to use Wireshark’s powerful multi-pass packet processing capabilities. Hak5’s video on Display Filters in Wireshark is a good introduction. If you are unfamiliar with filtering for traffic, Filter with Regex: matches and containsĭisplay Filters are a large topic and a major part of Wireshark’s popularity.Y Axis: AVG(Y Field) – defines the scale for the Y-axis.For example, a display filter of “ subtype 0x8” will limit the capture to only include beacon frames which contain the QBSS CU field. It’s useful to limit the graph to include a subset of the frames you want to focus on. Display Filter: fc.subtype=0x8 – Filter to focus on frames containing the field you are interested in examining.Graph Name: CU (or whatever descriptive name you would like to use).The filter for the channel utilization (CU) field is: To determine the percentage, divide the value by 255 – more on this later when we copy data to excel. The QBSS value is reported on a scale of 255. There is an optional information QBSS load element inside some management frames that reports channel utilization (CU) from the perspective of the access points radio. Enabled: Check the box to graph this plot.Y Field: wlan_radio.data_rate – filter for the field you want to plot.Y Axis: MAC(Y Field) – defines the scale for the Y-axis.Color: helpful if each rule has a different colour.For example, filtering on “type=2” will limit the graph to include only data frames, ignoring management (beacon) and ACK frames. Display Filter: wlan.fc.type=2 – Filter to focus on frames containing the field you are interested in examining.Graph Name: DR (or whatever descriptive name you would like to use).You can graph this field over time by using the Wireshark IO Graphs tool.Īfter opening the IO Graphs tool, double click on the fields to make changes: The filter for the data rate field is: wlan_radio.data_rate You can graph the data rate used to transmit frames using the following filter: Inconsistent or fluctuating data rates/MCS suggest a poor RF environment with intermittent noise or interference. Consistent and high data rates/MCS suggest a poor RF environment with slow talking clients that require deeper investigation as to the root cause. Consistent and high data rates/MCS suggest a healthy, well-performing RF environment. This is a useful benchmark for evaluating the health of a WLAN. Tip: If you click on a location on the graph curve, the capture will automatically snap to the frames near the same time frame/event that you clicked.įirst, let’s look at how we can graph the data rate over time. To access the IO Graphs tool, navigate to the Statistics menu, then select IO Graphs. The IO Graphs tool automates the process of creating these visualizations, avoiding the time-consuming need to manually gather this data. For example, it may be useful to visualize the number of data frames transmitted in relation to the number of retransmitted frames over a period of time. It can prove very useful to graph the occurrence of events over time or to graph the relationship between multiple packets over time. Wiresharks’ “IO Graphs” tool allows network professionals to graphically represent data within the packet capture for a more visual information analysis.