Wireshark mailing list archives

Re: Question about seeing Latency in TCP conversations

From: Martin Visser <martinvisser99 () gmail com>
Date: Mon, 9 Jan 2012 15:39:50 +1100

Press "F1" while in the TCP Stream Graphs window, to see the available
keystrokes that allow you to move around the graph (zooming in and out,
etc).

Just be mindful that when you launch TCP Stream Graphs, you get a totally
different view depending on whether you have selected a Client to Server
versus a Server to Client packet first up. Generally the 2nd (for instance
the selecting the SYN-ACK) will be the most useful. This will show the
C-S-C round-trip-time, wherease selecting the initial SYN packet will show
you the S-C-S RTT, which is generally not as useful.

If you really do have a RTT greater than 1 second it should automatically
scale to that. (In my case I just tested a stream that had up to a 1.8 sec
RTT and it displayed  correctly.

Regards, Martin

MartinVisser99 () gmail com


On 9 January 2012 05:14, Sheahan, John <John.Sheahan () priceline com> wrote:

That changed worked perfectly Martin and gives me a great view of the
latency for any stream. I had tried the TCP Stream Graph but I notice that
I am unable to change the Y Axis value to anything higher than 1 second so
I constantly miss the graph points when ever latency between packets is
higher than 1 second using this method. ****

** **

Do you know if there is a way to change the Y axis values on a TCP Stream
Round Trip Time Graph to be more than 1 second or is this a known
limitation?****

** **

johnny****

** **

*From:* wireshark-users-bounces () wireshark org [mailto:
wireshark-users-bounces () wireshark org] *On Behalf Of *Martin Visser
*Sent:* Saturday, January 07, 2012 10:34 PM

*To:* Community support list for Wireshark
*Subject:* Re: [Wireshark-users] Question about seeing Latency in TCP
conversations****

** **

Hi John,****

** **

You have almost got there, but not quite. In the variable field where you
have put "time" you need to put a variable that will make sense.
Unfortunately "time" I think is actually a protocol, and probably not
relevant. If you open up the "Frame" section of the Packet Details of a
packet, you will see a number of relevant time variables. In your case I
would choose "frame.time_delta_displayed". (You can find out the variable
name by selecting the relevant field, and looking in the status bar.)****

** **

You can then use this in your IO graph.****

** **

Don't forget for TCP streams you can also use TCP Stream Graphs available
under the Statistics menu, which can also help you identify delays.****


Regards, Martin

MartinVisser99 () gmail com

****

On 8 January 2012 01:44, Sheahan, John <John.Sheahan () priceline com> wrote:
****

I have filtered out a single conversation and I have the time display set
to “Seconds since previously displayed packet”. I want to now add the time
field to a graph to show how long it took between packets.****

 ****

Here is a screen shot of the filtered conversation:****

 ****

[image: cid:part1.02090706.00080501@att.net]****

 ****

Here is my attempt at adding the Time field for this filtered conversation
to the graph which did not work and I’m not sure what I’m doing wrong:****

 ****

[image: cid:part1.09080709.02020302@att.net]****

 ****

Thanks,****

 ****

johnny****

 ****

*From:* wireshark-users-bounces () wireshark org [mailto:
wireshark-users-bounces () wireshark org] *On Behalf Of *Martin Visser
*Sent:* Wednesday, January 04, 2012 5:45 PM
*To:* Community support list for Wireshark
*Subject:* Re: [Wireshark-users] Question about seeing Latency in TCP
conversations****

 ****

Johnny,****

 ****

The easiest way is to examine the calculated field "tcp.analysis.ack_rtt".
This appears in the details window if you have TCP Sequence Analysis on.**
**

 ****

 ****

[image: image.png]****


****

You have to be a little careful when using this though, as Wireshark
sometimes miscalculates this in the prescence of Duplicate ACKs. The best
way to use it (taking out effects of the server processing delay), is
during the initial handshake. So what I do is filter for "tcp.flags ==
0x12" (which is the SYN/ACK) and plot tcp.analysis.ack_rtt or add it as a
column.****

 ****

[image: image.png]****

 ****

Regards, Martin

MartinVisser99 () gmail com****

On 5 January 2012 08:20, Sheahan, John <John.Sheahan () priceline com> wrote:
****

I have been given a sniffer trace by our application guys and they want me
to look through it to see if any of the TCP conversations have higher than
normal latencies.****

The file is kind of big and too much data for me to filter and look at
each conversation. ****

 ****

Is there an easy way to do this in Wireshark?****

 ****

Thanks****

 ****

Johnny****


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe****

 ****


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe****

** **

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Question about seeing Latency in TCP conversations Sheahan, John (Jan 04)
- Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 04)
  - Re: Question about seeing Latency in TCP conversations Sheahan, John (Jan 04)
    - Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 04)
  - Re: Question about seeing Latency in TCP conversations Andrej van der Zee (Jan 04)
    - Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 04)
  - Re: Question about seeing Latency in TCP conversations Andrej van der Zee (Jan 05)
  - Re: Question about seeing Latency in TCP conversations Sheahan, John (Jan 07)
    - Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 07)
    - Re: Question about seeing Latency in TCP conversations Sheahan, John (Jan 08)
    - Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 08)
    - question about sniffing wireless IPOD conversations John S (Jan 19)
    - Re: question about sniffing wireless IPOD conversations Jaap Keuter (Jan 19)
    - Re: question about sniffing wireless IPOD conversations John S (Jan 19)
    - Re: question about sniffing wireless IPOD conversations Guy Harris (Jan 19)
    - Re: question about sniffing wireless IPOD conversations Kevin Cullimore (Jan 24)
    - Re: question about sniffing wireless IPOD conversations Matthew (Jan 26)
    - Re: Question about seeing Latency in TCP conversations János Löbb (Jan 09)
    - Re: Question about seeing Latency in TCP conversations Martin Visser (Jan 09)