Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] how to get round trip time and identify FIN-ACK and ACK pa

From: Martin Isaksson <martin.isaksson@xxxxxxxxxxxx>
Date: Tue, 26 Jun 2012 14:21:06 +0200
Hi Stuart!
 
I actually never looked so deeply into the IO graph with this field. A reason I never did that is because for example tcptrace (tcptrace.org) is so much better at plotting this at packet level, rather than averaging over a time period. Just looking at your numbers seems to indicate that Wireshark is plotting per tick, rather than per second. That's not the case in my version though (1.8.0rc2), so I am wondering if you have changed the unit from "Packets/Tick" to "Advanced"? tcp.analysis.ack_rtt goes into the right text field then.
 
For the second question, I'd suggest using tshark if possible to give you the CSV file.
tshark -r filename.pcap -R 'tcp.stream eq 7 && tcp.len==0' -Tfields -e tcp.analysis.ack_rtt (just one field, look in the man pages for how to create a CSV file).
I've filtered here on ACKs (tcp.len == 0) to get rid of empty samples, and on one TCP stream so that I am sure that these samples belong to the same conversation.
 
You also have the TCP graph under Statistics -> TCP StreamGraph -> Round Trip Time Graph.
 
There are other options such as exporting packet dissections from the Wireshark file menu after adding the RTT as a column, and of course there might possibly be some other faster and better ways for everything I've said here :)
 
 
Kind regards,
Martin


From: Stuart Kendrick [mailto:skendric@xxxxxxxxx]
Sent: den 26 juni 2012 13:54
To: Community support list for Wireshark
Cc: Martin Isaksson
Subject: Re: [Wireshark-users] how to get round trip time and identify FIN-ACK and ACK pairs

Hi Martin,

I've been following this thread with interest ... but I'm stumbling on the solution you sketch.

I'm in IO Graphs, I've assigned the Filter "tcp.analysis.ack_rtt" to Graph 1, and I see a chart which, for my trace, wanders around an average value of ~400 for a Tick interval of .1s, ~40 for a Tick interval of .01s, and ~4 for a Tick interval of .001s   Glancing through the trace ... I might buy the idea that time between ACKs averages ~40us ...
    ==> How do I know what units Wireshark is using on the y-axis?

Alternatively, perhaps you are suggesting a way to produce a CSV file containing these RTT calculations, from which I could calculate AVG, MEAN, MEDIAN, etc.
    ==> But I don't see how to do that, i.e. how to produce a CSV file listing 'tcp.analysis.ack_rtt' for each ACK.

And perhaps I'm not following you at all
    ==> Would you elaborate on the analysis technique you sketched below?

--sk

Stuart Kendrick
FHCRC

On 6/21/2012 3:33 AM, Martin Isaksson wrote:
Hi,
 
try the tcp.flags.fin==1, tcp.stream, tcp.analysis.ack_rtt and tcp.analysis.acks_frame fields.
 
Regards,
Martin


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of esolve esolve
Sent: den 21 juni 2012 12:01
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] how to get round trip time and identify FIN-ACK and ACK pairs

so nobody has any idea?
the intuitive idea is to use sequence number/ack number, but it may be a bit troublesome, any other ideas? thanks

2012/6/20 esolve esolve <esolvepolito@xxxxxxxxx>
Hi, all,

 I want to get round trip time distribution from a pcap file.  My
idea is to compute each round trip time for each pair of data packets
and ack packets. But the difficulty is to identify the pairs, namely,
for each data packet(ack packet) I need to find the corresponding ack
packet(data packet). How can I achieve this?

  Besides, for the find tcp tear-down process, how to identify each
FIN-ACK and ACK pair? thanks!



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe