Wireshark-users: Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
From: <Ed.Staszko@xxxxxxxxxxxxxxxxx>
Date: Sat, 13 Jun 2009 06:55:07 -0500
Unfortunately, the tcp.analysis.ack_rtt logic in Wireshark is flawed. (see
bug report on this issue)
Try using the last available version of Ethereal and you will see an
accurate representation.
Ed Staszko
Senior Network Analyst
Mutual of Omaha
"Francis-CM Chan"
<francis-cm_chan@
smartone-vodafone To
.com> wireshark-users@xxxxxxxxxxxxx
Sent by: cc
wireshark-users-b
ounces@wireshark. Subject
org [Wireshark-users]
tcp.analysis.ack_rtt - Unexpected
short TCP RTT
06/12/2009 09:32
PM
Please respond to
"Community
support list for
Wireshark"
<wireshark-users@
wireshark.org>
Hi,
Currently, I am studying the latency between a typical internet use and
a online game server. I use the tcp.analsyis.ack_rtt to extract
information for analysis. Here is my command line:
tshark -Tfields -E header=y -e frame.number -e frame.time_relative -e
ip.src -e tcp.flags -e tcp.analysis.acks_frame -e tcp.analysis.ack_rtt
-r tcp.analysis.ack_rtt.pcap > tcp.analysis.ack_rtt.txt
The attached capture file is a short extraction of the TCP dialog
between the 2 end points (user 192.168.1.102 and server
202.123.175.210). The monitoring point was at the user side made
possible by inserting an Extreme switch with a mirroring port
configured. The capturing machine is an IBM X61 notebook running WinXP.
I understand that I should use the tcp.analysis.ack_rtt for the
direction 202.123.175.210->192.168.1.102 (i.e. ip.src ==
202.123.175.210) for the measure of the rtt of the communication link.
However, to my surprise, I get extraordinary short measure for some
specific cases. For example, frame 13, 16, 39, 52.
Can any expert help to explain what is going on, or do I
misunderstanding something? If my concept is right, would it be
something wrong with the capturing environment?
Regards,
Francis Chan
=========== output from tshark ================
frame frame.time ip.src
tcp.flags
tcp.analysis.acks_frame tcp.analysis.ack_rtt
1 0 202.123.175.210 0x18
2 0.139957 192.168.1.102 0x10 1
0.139957
3 0.331267 202.123.175.210 0x18 2
0.19131
4 0.44172 192.168.1.102 0x10
3 0.110453
5 0.510189 202.123.175.210 0x18 4
0.068469
6 0.643078 192.168.1.102 0x10 5
0.132889
7 0.813951 202.123.175.210 0x10 6
0.170873
8 0.823548 202.123.175.210 0x10
9 0.823555 192.168.1.102 0x10 8
0.000007
10 0.903789 202.123.175.210 0x10 9
0.080234
11 0.913734 202.123.175.210 0x10
12 0.913891 192.168.1.102 0x10 11
0.000157
13 0.92357 202.123.175.210 0x10
12 0.009679
14 0.993972 202.123.175.210 0x10
15 0.993979 192.168.1.102 0x10 14
0.000007
16 1.003893 202.123.175.210 0x10 15
0.009914
17 1.004383 202.123.175.210 0x18
18 1.004389 192.168.1.102 0x10 17
0.000006
19 1.30019 202.123.175.210 0x18
18 0.295801
20 1.447811 192.168.1.102 0x10 19
0.147621
21 1.580027 202.123.175.210 0x18 20
0.132216
22 1.749584 192.168.1.102 0x10 21
0.169557
23 1.820187 202.123.175.210 0x18 22
0.070603
24 1.950755 192.168.1.102 0x10 23
0.130568
25 2.220194 202.123.175.210 0x18 24
0.269439
26 2.353105 192.168.1.102 0x10 25
0.132911
27 2.420021 202.123.175.210 0x18 26
0.066916
28 2.554268 192.168.1.102 0x10 27
0.134247
29 2.756383 192.168.1.102 0x18
30 2.757533 192.168.1.102 0x18
31 2.820148 202.123.175.210 0x10
32 2.843951 202.123.175.210 0x10
33 2.853885 202.123.175.210 0x10
34 2.857996 192.168.1.102 0x10 33
0.004111
35 2.863548 202.123.175.210 0x10
36 2.880125 202.123.175.210 0x10 30
0.122592
37 2.953777 202.123.175.210 0x10
38 2.954035 192.168.1.102 0x10 37
0.000258
39 2.963877 202.123.175.210 0x10 38
0.009842
40 2.972585 202.123.175.210 0x18
41 2.972592 192.168.1.102 0x10 40
0.000007
42 3.051291 202.123.175.210 0x18 41
0.078699
43 3.157789 192.168.1.102 0x10 42
0.106498
44 3.231312 202.123.175.210 0x18 43
0.073523
45 3.334778 192.168.1.102 0x18 44
0.103466
46 3.334784 192.168.1.102 0x18
47 3.338861 192.168.1.102 0x18
48 3.400308 202.123.175.210 0x18
49 3.430135 202.123.175.210 0x10 47
0.091274
50 3.444544 202.123.175.210 0x10
51 3.444984 192.168.1.102 0x10 50
0.00044
52 3.446886 202.123.175.210 0x10 51
0.001902
53 3.513886 202.123.175.210 0x10
54 3.513895 192.168.1.102 0x10 53
0.000009
55 3.52455 202.123.175.210 0x10
54 0.010655
56 3.533878 202.123.175.210 0x10
57 3.533885 192.168.1.102 0x10 56
0.000007
58 3.583883 202.123.175.210 0x10 57
0.049998
59 3.593878 202.123.175.210 0x10
60 3.593888 192.168.1.102 0x10 59
0.00001
Experience the true Internet. Right on your mobile. Right now.
www.smartone-vodafone.com
************************************ E-mail Disclaimer
************************************
This e-mail message (together with any attachments) is confidential to the
addressee
and may also be privileged. If you are not the intended recipient, you are
hereby notified
that any dissemination, distribution or copying of this message is strictly
prohibited.
Please also notify the sender immediately by return e-mail and delete it
from your system.
Internet communications cannot be guaranteed to be secure or error-free.
The sender and the entity through which this message is sent therefore do
not accept
liability for errors or omissions as contained in the message and any
spreading of viruses
as a result of Internet transmission.
Any opinions contained in this message are those of the sender personally
and would
not bind any entity unless otherwise clearly stated and with the authority
of the sender
duly verified.
*******************************************************************************************
(See attached file: tcp.analysis.ack_rtt.pcap)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
This e-mail and any files transmitted with it are confidential and are solely for the use of the addressee. It may contain material that is legally privileged, proprietary or subject to copyright belonging to Mutual of Omaha Insurance Company and its affiliates, and it may be subject to protection under federal or state law. If you are not the intended recipient, you are notified that any use of this material is strictly prohibited. If you received this transmission in error, please contact the sender immediately by replying to this e-mail and delete the material from your system. Mutual of Omaha Insurance Company may archive e-mails, which may be accessed by authorized persons and may be produced to other parties, including public authorities, in compliance with applicable laws.
Attachment:
tcp.analysis.ack_rtt.pcap
Description: Binary data
- References:
- [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- From: Francis-CM Chan
- [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Prev by Date: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Next by Date: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Previous by thread: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Next by thread: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Index(es):