The detection of such abnormal traffic and then separation of DDoS attacks from FC is also a focused challenge. Both DDOS and FC are considered abnormal traffic in communication networks. On the other hand, legitimate users may produce a larger amount of traffic known, as the flash crowd (FC). Most of the DDoS detection systems rely on the analysis of the flow of traffic, ultimately with a conclusion that high traffic may be due to the DDoS attack. The deployed environment of WSNs is noncentral, unattended, and administrativeless therefore, malicious attacks such as distributed denial of service (DDoS) attacks can easily be commenced by the attackers. The nodes in WSNs, due to their vulnerable nature, are always prone to various potential threats. These networks are deployed in such places where the repairments, in most cases, become difficult. Hopefully I answered your question, got a little carried away.Wireless sensor networks (WSNs) are low-cost, special-purpose networks introduced to resolve various daily life domestic, industrial, and strategic problems. Here is a list of channel and other filters that you can apply wireshark filters. You can filter wireshark information by applying channel filter. If this time is long it could indicate some type of delay in the network (packet loss, congestion, etc) _rtt – measures the time delta between capturing a TCP packet and the corresponding ACK for that packet. If you see a number consistently lower than your TCP window size, it could indicate packet loss or some other issue along the path preventing you from maximizing throughput. The number of unacknowledged bytes should never exceed your TCP window size (defined in the initial 3 way TCP handshake) and to maximize your throughput you want to get as close as possible to the TCP window size. _in_flight – the number of unacknowledged bytes on the wire at a point in time. This would indicate the receiving end is overwhelmed. If you see this window size drop down to zero(or near zero) during your transfer it means the sender has backed off and is waiting for the receiver to acknowledge all of the data already sent. _update – this will graph the size of the TCP window throughout your transfer. This usually shows up as slow application performance and/or packet loss to the user A few retransmissions are OK, excessive retransmissions are bad.
A high number of duplicate ACKs is a sign of possible high latency between TCP endpoints – Displays all retransmissions in the capture. _ack – displays packets that were acknowledged more than one time. Packet loss can lead to duplicate ACKs, which leads to retransmissions _segment – Indicates we’ve seen a gap in sequence numbers in the capture.
Here are some filters that are commonly used.
You can always apply common troubleshooting filters to troubleshoot slow downloads/uploads or other application type problems. Its mostly useful for troubleshooting seeing spikes and dips in your traffic, btw, to look into the traffic closer you can click on any point on the graph and it will focus on that packet and display the information in the background packet list window. In default the x-axis is the tick interval per second, and y-axis is the packets per tick (per second). Wireshark IO Graphs will show you the overall traffic seen in a capture file which is usually measured in rate per second in bytes or packets (which you can always change if you prefer bits/bytes per second).