Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Strange RTT values during dial-up connection

From: "Juha Yli-Penttilä" <juha.yli-penttila@xxxxxx>
Date: Tue, 20 Jan 2009 13:25:55 +0200
Hi Martin,

thanks for your comments. In this case the downlink FTP transfer is ongoing, meaning that the file is downloaded from the server to the client. There is no other traffic than acks from the client to the server. If I try to select an ack and then plot the RTT graph, the graph is totally empty. Is there any way to monitor RTT estimates that the client sees by using this kind of downlink transfer?

Quoting "Martin Visser" <martinvisser99@xxxxxxxxx>:

Juha,

What you are seeing is the RTT for the traffic from the view of the server
being responded to by the client. I assume from your notes that you are
capturing traffic at the client end. Every time the server sends a
non-zero-length TCP payload incrementing the SEQ, it also expects an ACK
back from the client. Of course the same goes from the client traffic toward
the server. Even though you are capturing on the client end, it still needs
to do some processing before it sends the ACK.

The fact that RTT is quantised (at discrete levels) I think is indicative of
the resolution of the system clock on your machine, and hence the time
stamp. (There is some incomplete discussion on that here -
http://wiki.wireshark.org/Timestamps)

In order to see the RTT graph that corresponds to the response time for
client requests towards the server, you must select a frame in the TCP
session that is in that direction. You have selected a frame from server to
client, just select one going the other direction and then display the RTT
graph again. You should then get what you expect.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Tue, Jan 20, 2009 at 2:39 AM, Juha Yli-Penttilä <juha.yli-penttila@xxxxxx
wrote:

Hi all,

I captured a log of FTP transfer using EGPRS dial-up connection. The RTT
values seem to be too small, because most of the values are < 70ms. In
practise these should be something like 200-500ms. The log capturing and FTP
client were run on the same computer (another endpoint). Am I doing
something wrong or why the RTT estimates are this small? From the figure can
also be seen that most of the RTT values are on some certain levels, which I
guess should not be the case. Attached TCP RTT graph. Thanks in advance.

--
Juha Yli-Penttilä
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx
?subject=unsubscribe