telecom • networking • design

an blog

Leave a comment

Visualize and Diagnose Wireshark PCAP Files with Sequence Diagrams

Introducing VisualEther Protocol Analyzer 6.1. Diagnose and debug Wireshark logs with sequence diagrams. Convert PCAP files into sequence diagrams and call flow diagrams by just defining the message fields that should be included in the diagrams. VisualEther takes of the rest, generating a well formatted sequence diagram. You can click on individual messages in the sequence diagram to see field level details.

VisualEther 6.1 adds the following features:

  • Full IPv6 Support
  • Convert any custom protocol to sequence diagrams. Fully customize the diagram generation.
  • Display message details as an expandable list.
  • Added support for Wifi and Ethernet frames

Wireshark to sequence diagrams

Visually debug protocol interactions


Generate sequence diagrams and call flow diagrams from Wireshark output. The sequence diagrams provide a visual trace of the packet flow between different nodes.

Use regular expressions to identify and flag error scenarios. Messages reporting session failure can be bookmarked in a PDF file, thus giving you quick access to the cause of failure. Protocol experts can identify the error scenarios upfront to speed up protocol debugging.

Summarize Wireshark output…

Wireshark Extraction Template

Define templates to select messages and the fields to be included in the generated diagrams. VisualEther analyzes the Wireshark output to generate documents that match the defined template. The template is defined as a simple XML file.

Support for IPv4, IPv6, Ethernet and Wifi is built in. TCP, UDP and SCTP transport layer support is also available out of the box.

You can customize the templates for any protocol that has an Wireshark dissector. Any custom source and destination addresses can be used to define the sequence diagram instance axes.

…while maintaining full message detail

Wireshark message shown in full detail.

Click on any message in PDF sequence diagrams. VisualEther shows you complete field level details of that message in a browser window.

The message nodes can be expanded and collapsed. This way you can focus on the part of the message that interests you.

Reverse engineer system design

Reverse engineer design from Wireshark

Reverse engineering system design by analyzing the message flow in an operational system. Design documents are generated from the Wireshark traces. The generated documents can be edited and reformatted using EventStudio System Designer.

Automate diagram generation from Wireshark PCAP Files

Wireshark to sequence diagram generation script

Automate capture of Wireshark logs with tshark and then use the VisualEther command-line mode to generate sequence diagrams and context diagrams.

Explore more

1 Comment

TCP fast retransmit and recovery

TCP Slow Start and Congestion Avoidance lower the data throughput drastically when segment loss is detected. Fast Retransmit and Fast Recovery have been designed to speed up the recovery of the connection, without compromising its congestion avoidance characteristics.

Fast Retransmit and Recovery detect a segment loss via duplicate acknowledgements. When a segment is lost, TCP at the receiver will keep sending ack segments indicating the next expected sequence number. This sequence number would correspond to the lost segment. If only one segment is lost, TCP will keep generating acks for the following segments. This will result in the transmitter getting duplicate acks (i.e. acks with the same ack sequence number)

Click here for TCP fast retransmit and recovery sequence diagrams

TCP fast retransmit

The transmitter acts on duplicate acks and retransmits the packet, without waiting for the segment timer expiry

TCP fast recovery

TCP maintains the current data flow

Click here for TCP fast retransmit and recovery sequence diagrams

Leave a comment

TCP congestion avoidance flow

We have already seen that TCP connection starts up in slow start mode, geometrically increasing the congestion window (cwnd) until it crosses the slow start threshold (ssthresh). Once cwnd is greater that ssthresh, TCP enters the congestion avoidance mode of operation. In this mode, the primary objective is to maintain high throughput without causing congestion. If TCP detects segment loss, it assumes that congestion has been detected over the internet. As a corrective action, TCP reduces its data flow rate by reducing cwnd. After reducing cwnd, TCP goes back to slow start.

We examine congestion avoidance in detail. We examine in detail how TCP reacts to the loss of a segment. The changes to the congestion window and the transition into slow start are covered in detail.

TCP congestion avoidance sequence diagram

1 Comment

TCP slow start sequence diagrams

TCP is an end to end protocol which operates over the heterogeneous Internet. TCP has no advance knowledge of the network characteristics, thus it has to adjust its behavior according to the current state of the network. TCP has built in support for congestion control. Congestion control ensures that TCP does not pump data at a rate higher than what the network can handle.

In this sequence diagram we will analyze “Slow start”, an important part of the congestion control mechanisms built right into TCP. As the name suggests, “Slow Start” starts slowly, increasing its window size as it gains confidence about the networks throughput.

TCP slow start overview

An overview of TCP slow start.

TCP slow start with socket level details

A detailed look at TCP slow start with socket level state transition details.

Analyze TCP slow start from the server point of view

A sequence diagram describing the slow start with a focus on server end interactions.

Client focused view of the slow start

A final look at slow start. This time with a focus on the client side.

Leave a comment

FTP File Transfer Protocol Sequence Diagram

Here we explore the sequence of interactions in a typical FTP (File Transfer Protocol) session. The example here illustrates the use of multiple TCP connections by FTP. We will cover how FTP establishes a telnet TCP connection (TCP Port 21) to control the overall flow of the FTP transfer.

Then we examine the use of TCP Port 20 for establishing TCP connections for directory transfer and file retrieval.

The complete sequence diagram can be divided into the following steps:

  • DNS Query to obtain the IP address for the FTP Server
  • FTP Telnet connection setup and login. (USER and PASS commands)
  • Obtaining a directory listing (PORT and LIST command)
  • Changing directory (CWD command)
  • Downloading a file using FTP get (PORT and RETR command)

These phases are analyzed with sequence diagrams and context diagrams that provide multiple views of the FTP interactions.

FTP protocol sequence diagram

FTP High Level Overview

FTP control port (TCP port 21) handling

FTP data port (TCP port 20) handling

FTP context diagram