To expose a microburst, egress traffic must be captured and analyzed using Wireshark’s I/O Graphs with a highly precise time scale (0.001-second tick intervals). If the traffic volume within that millisecond window spikes past the line rate of the interface, definitive proof of a microburst is established.
Step 1: Pinpoint the suspect interface.
Interfaces experiencing a steady rise in egress (output) drops despite low average utilization must be identified. For instance, packet drops may be observed on a 1 Gbps link that maintains an average load of only 150 Mbps.
Step 2: Perform a traffic packet capture
A traffic packet capture should be initiated via either the FortiGate GUI or CLI. Alternatively, port mirroring can be configured on one of the FortiGate interfaces.
diagnose sniffer packet <interface> <'filter'> <verbose> <count> <timestamp_format>
Step 3: Analyze the capture in Wireshark.
The resulting PCAP file must be opened in Wireshark, followed by navigating to Statistics -> I/O Graph.
At Wireshark default 1-second view, the traffic baseline will likely appear smooth and well under capacity. This occurs because a 1 Gbps interface can comfortably transmit 1,000 Mb of evenly distributed data over the course of a full second without straining the hardware.
However, if a significant portion of that data attempts to exit the port within a fraction of a second, the interface buffers will instantly saturate, resulting in dropped packets. To visualize this behavior, the graph scales must be aligned to match how network hardware processes packet bursts.
 
Step 4: Recalculate and adjust the graph scales.
The link speed must be converted to match a 0.001-second (1 millisecond) window.
Total Link Speed: 1Gbps = 1,000,000,000 bits/second. Per-Millisecond Limit: 1,000,000,000 bits per 1,000ms = 1,000,000 bits per 0.001 second.
In the Wireshark I/O Graph settings, the following parameters require updating:
Step 5: Identify the Microbursts.
The newly scaled graph should be scanned to identify transient anomalies. If traffic spikes breach the 1,000,000 bits threshold on the Y-axis, sub-second micro bursting is confirmed. Network hardware lacks the buffer capacity to handle these instantaneous volume spikes, forcing tail drops.
Note:Â Directly selecting any peak within the I/O graph immediately redirects the view to that exact packet within the Wireshark capture pane. This allows for an investigation into which protocols, applications, or source IP addresses are driving the burst. These insights can then be leveraged to develop a targeted mitigation strategy, such as adjusting Quality of Service (QoS) parameters, expanding interface bandwidth, or implementing traffic shaping at the source.
Related articles:
| 
