On Aug 31, 2020, at 8:20 AM, jayrturner99@xxxxxxxxx wrote:
> I would like advice on adding timing statistics to a Wireshark plugin. I have implemented a plugin for my company’s proprietary protocol, which sits on top of TCP/IP. I have added tap statistics to count various interesting pieces of data. I would now like to calculate the time it takes for the server to process commands.
>
> Looking at a general flow in my protocol, a command is sent (PSH, ACK) and an ACK occurs. Then later a (PSH, ACK) and an ACK occur for the response.
> If I take the response (PSH, ACK) timestamp and subtract the command ACK timestamp, I think this would be the best “how long did the server take to process” time.
The *best* way would be to
1) capture on the server;
2) get the time stamp of the *last* TCP segment of the request and the time stamp of the *first* TCP segment of the reply;
3) subtract them.
That removes whatever network transit time you'd get if you use a capture done on the client.
Note, of course, that what you're measuring there would be the amount of time between the time when the networking stack (including the capture mechanism) on the server time-stamped the incoming last TCP segment of the request and the time when the networking stack on the server time-stamped the outgoing first TCP segment of the reply, which counts some, but not all, server processing time.
Second best would be to capture on the same network as the one the server's on; that reduces the network transit time, although it's still there.
