The displays in the Traffic tab provide a quick visual summary of your captured traffic. The displays share a number of controls:

• Before each packet can be added to the displays, it must be decoded. Decoding each packet takes a small amount of time. The progress indicator shows whether the displays are complete.
• You can use the Layer popup menu to change the view of your data.
• The Scale slider zooms the display in and out. Together with the scroll bars, the scale slider helps you focus on important information in busy traffic displays.

Map (Traffic Patterns)

The Map display shows you where your traffic came from and where it is going. In larger captures, the thickness of the lines is proportional to the amount of traffic.

The Data Link view shows end-station relationships at Layer Two. For example, traffic going to, or coming from another subnet must traverse a router. If you have a lot of non-local traffic in a capture, you should expect to see the router’s MAC address figuring prominently.

The Network view shows end-station relationships at Layer Three. You would expect to see IP addresses in this view.

The Transport view shows relationships at Layer Four where would expect to see datagram protocols such as POP3, SMTP and HTTP.

FrameSeer does not limit the number of hosts which can be represented in a map. However, if your capture includes a large number of hosts, the map may become crowded and difficult to read. Consider using filters to retrict the capture to the packets you actually need.

Protocol

The Protocol display shows you the distribution of traffic at each layer. Think of each view as showing you what the layer encapsulates. The Data Link layer encapsulates protocols such as IP and ARP, the Network layer carries protocols like TCP and UDP, and the Transport layer carries payloads like HTTP and DNS.

When the traffic displays are stable (ie, the capture has stopped and the progress indicator is inactive), you can pause your mouse pointer over each label in the X-axis to receive additional information.

Note that the columns in the Transport Layer view may not necessarily add up to 100%. The histogram bars are expressed as a proportion of the total number of packets captured. However, not all protocols have a Layer Four component and this may account for any discrepancy.

Size

This display shows you the distribution of the frame sizes of your network traffic at the Data Link layer. As with the Protocol display, pausing your mouse pointer over an X-axis label shows additional information. Note that the presence of a label indicates that at least one frame of that size range exists.

Think of this display as giving you a measure of the overall efficiency of your network. In general, the purpose of a network is to transport user information between end-stations. Each frame transmitted on the network incurs a fixed overhead. Therefore, the larger the user payload per frame, the fewer the number of frames required to transport a given amount of user information, the less bandwidth consumed by the fixed overheads, and the greater the effective utilisation of the available bandwidth.

Or, to put it in simple terms:

Large Packets Good, Small Packets Bad.

Of course, you may not be able to influence the size of the packets on your network in any meaningful way. However, if you are lucky enough to be involved when applications designers are contemplating a new system, you may be able to gently guide them away from any incipient “we need lots of packets per second” and “the network is assumed to be able to cope” foolishness.

Extended Analysis

FrameSeer’s Capture tab is your base of operations for extended analysis. The data contained in the columns of the Capture tab can be copied to the clipboard and pasted into other applications.

See Copying captures to the clipboard for an example.