Using a bandwidth preview to triage captures

2 min read

CloudShark 2.5, added a cool new feature: the ability to view a small sparkline graph of each of your captures packets-per-second (bandwidth). You can add this to your index view by editing the table options in your capture file index.

How might such a thing be useful?

Quickly noticing patterns

Some issues can be seen in the regularity of certain traffic patterns. For instance, seeing packet rate spikes occur at regular intervals can point to a rogue agent on your network attempting some funny business, or issues with applications trying to accomplish some network heavy task, then repeating it when it is unsuccessful.

Searching for matches and outliers

In situations where you have multiple captures of a particular event or time period, you can often immediately notice a potential intrusion or attack by comparing the bandwidth graphs of these captures and looking for outliers. Is there an area where the bandwidth suddenly spikes and remains constant? Conversely, are there two captures that seem identical in their traffic pattern?

Finding packet loss

If you have a constant (even if random) bandwidth pattern over several captures, seeing the graph drop to zero suddenly can indicate an exact time when severe packet loss occurred, from a failed system or lost connection.

In any case, we’re sure you can come up with many more uses! Enjoy this extra addition to your CloudShark capture repository.

Get articles like this in your inbox: