Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Question on measuring on both sides of a masquerading server.

From: L A Walsh <wireshark@xxxxxxxxx>
Date: Tue, 23 Apr 2019 10:42:31 -0700
I have been trying to trace a performance problem from my desktop
client to a remote server, that locally goes through a linux-server
running in a masquerade mode.

Usually, timings between the local server (doing the masquerade)
using *ping* have:
rtt min/avg/max/mdev = 0.064/0.136/0.615/0.053 ms,
average around .14ms.  The other direction, ping will show 0.000ms,
due to windows' timing ability.

In wireshark, when looking at the rtt time graph of the application
I'm looking at (bladeandsoul.com game server) from local to
remote, am seeing 80-140ms but the reverse flow, as measured
by wireshark running on the intermediate server (the one doing
the masquerade) is showing around 1ms, with rare spikes around 10ms.

I'm trying to figure out what I'm seeing when looking at the rtt time
of the 'reverse flow'.  Theoretically, I would see traffic sent
from client to remote server.  Would I bee seeing the same thing
when going through a masquerading proxy, or would I be seeing the
ping time from the client to the masquerade-box.

I.e. packets from the client going to the remote would first be
going into the masquerade box, then forwarded out the appropriate
port and on to the remote server.  What I'm wondering is whether or
not the client->remote let is really showing me client->masqServ and
I might not be seeing 'masqServ->remote' at all.  I'm finding
it hard to believe that with one path, client->remote rtt is 80-150ms,
but the opposite flow would be near 1ms.  Even using a ping size
of 1400 bytes, rtt avg=.139 (3ms slower) and 40ms slower with
non-fragmented 8000 byte packets (client->masqServ uses jumbo).

Just for diagnostics, I tried using normal packet size limits on
the ethernet cablwe to see if making the masqServer do
9000->1500 remarshaling was adding any measurable
time -- it made no difference.

The thing is, I don't see how it would be possible for the remote server
to get a rtt of 1ms, while minimum ping and rtt on the client->remote
path is a minimum of 70-80ms with average 140.

Is that a valid "assumption" on my part?

Is my assumption that the 1ms rtt time I see is more likely the
time from the MasqServ -> client with the remote->MasqServ not being shown?

How might I see or measure the rtt time of the remote->MasqServ?.  I
don't suppose it would be possible to have the the return-trip times,
both to the MasqServ and to the client added together to see a total?

Attached are the two graphs aligned as to be in sync w/each other.

Thanks!








JPEG image