Wireshark-users: [Wireshark-users] tcp.analysis.ack_rtt
From: "Wynns, Roger [OXFORD]" <RWynns@xxxxxxxxxxx>
Date: Mon, 16 Mar 2009 08:32:25 -0500
Thanks, Sake this is what I have been looking for.... 

Roger

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Thursday, March 12, 2009 6:30 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tcp.analysis.ack_rtt

On Thu, Mar 12, 2009 at 01:46:03PM -0500, Wynns, Roger [OXFORD] wrote:
>    I have a question about how tcp.analysis.ack_rtt is calculated...
In the
>    documentation(Wikipedia.org)  RTT is calculated from the three-way
>    handshake but it appears that in Wireshark it is also calculated
for each
>    ACK.  So my question is How is it calculated and is it possible to
just
>    get the RTT numbers for just the three-way handshake?

Yes, it is calculated for each ACK, but there was some discussion
recently on which packets should contain this field...

>    What I am trying to get is the RTT for each port connection that
the
>    client makes to use as  baseline data.

Something like:

tshark -r <file> -R "tcp.flags.syn==1 && tcp.flags.ack==1" -T fields -e
tcp.analysis.ack_rtt

will get you a list of the RTT of each SYN/ACK, you might want to add
server IP and port:

tshark -r traces/sharkfest-1.cap -R "tcp.flags.syn==1 &&
tcp.flags.ack==1" -T fields -e ip.src -e tcp.srcport -e
tcp.analysis.ack_rtt

Hope this helps,
Cheers,
     Sake