Timeline Analysis

The Timeline tab provides a chronological view of network traffic, helping you understand when activity occurred and how traffic patterns evolved over the capture period.

How Timeline Data Is Derived

Understanding the binning logic prevents misinterpretation of bar heights, especially for long or high-rate captures.

Bin Assignment

Every conversation stored in the database is assigned to exactly one time bin based on its startTime (the timestamp of its first observed packet). The bin index is computed in O(1):

binIndex = floor( (conversation.startTime - captureStart) / intervalSeconds )

A conversation that spans multiple bins (e.g. a long-lived TCP session) is counted only in the bin where it started, not spread across bins for its entire duration. This means a 10-minute TCP session that started at T=0 appears only in the T=0 bin, even though traffic continued through bins 1–9.

What the Y-axis Measures

Each bar accumulates values from every conversation that started in that bin:

  • Packet count mode: sum of packetCount for all conversations in the bin. packetCount is the total number of tshark output lines (raw frames) for the conversation, both directions combined.

  • Bytes mode: sum of totalBytes for all conversations in the bin. totalBytes is the sum of frame.len (on-wire frame length including all headers) for all packets in the conversation.

Because a conversation is counted only once (at its start time), a burst of many short connections will produce a tall bar at their start time, while a single long connection of the same total bytes will produce one bar at the start of the session only. The chart shows conversation activity density, not continuous throughput.

Protocol Color Breakdown

Each bar is split by protocol. The protocol label used is the _ws.col.Protocol value from the first tshark pass — the Wireshark display column label uppercased and truncated to 20 characters. Conversations with the same protocol value are grouped together within a bar segment.

Auto-Interval Adjustment

When “Auto” granularity is selected, or when the requested granularity would produce more data points than the configured maximum, TimelineService automatically widens the interval:

adjustedInterval = ceil( captureDurationSeconds / maxDataPoints )

where maxDataPoints defaults to a server-side configuration value. The adjustment is logged at INFO level:

Timeline auto-adjusted: duration=3600s, requestedInterval=1s,
adjustedInterval=4s, expectedBins=3600, limit=500

This means: if you request 1-second bins for a 1-hour capture but the maximum data points is 500, the interval is automatically widened to ceil(3600/500) = 8 seconds per bin. The UI shows the actual interval used.

Chart Layout

Traffic is visualised as a stacked bar chart:

  • The X axis represents time bins, labelled with the bin start time.

  • The Y axis represents either packet count or byte volume (toggle between the two using the view control).

  • Each bar is color-coded by protocol (_ws.col.Protocol label).

Time Granularity

You can control how finely the time axis is divided:

  • Auto — TracePcap picks a suitable granularity based on the capture duration (e.g. seconds for a 1-minute capture, minutes for a 1-hour capture), subject to the maximum data-points limit described above.

  • Manual — choose from: 1 s, 5 s, 30 s, 1 min, 5 min, 15 min, 1 hour. The selected interval may be automatically widened if it would exceed the data-points limit.

Protocol Breakdown

A legend below the chart lists every protocol color. Clicking a legend entry toggles that protocol’s visibility, letting you isolate specific traffic types.

Interaction

  • Hover over a bar to see an exact breakdown of protocols and volumes for that time bucket.

  • Click a bar to filter the Conversations tab to only the conversations active during that time bucket.