Wireshark-users: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
From: "Francis-CM Chan" <francis-cm_chan@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Jun 2009 09:32:42 +0800
Thanks Ed for the response. I am using the 1.0.8 stable version to capture, and use 1.0.6 to do the processing. Is the problem you referring due to capturing or the post-processing? As a preliminary check on the capture details, I can hardly find any calculation problem on the packets I am checking with. Can you be more specific so that I can have a much clear understanding. Thank you in advance. Francis ---------------------------------------------------------------------- Message: 1 Date: Sat, 13 Jun 2009 06:55:07 -0500 From: <Ed.Staszko@xxxxxxxxxxxxxxxxx> Subject: Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <OF85E4BA5A.6F4BE457-ON862575D4.0041216A-862575D4.004178C7@mutualofomaha .com> Content-Type: text/plain; charset="us-ascii" Unfortunately, the tcp.analysis.ack_rtt logic in Wireshark is flawed. (see bug report on this issue) Try using the last available version of Ethereal and you will see an accurate representation. Ed Staszko Senior Network Analyst Mutual of Omaha ___________________________________________________ Hi, Currently, I am studying the latency between a typical internet use and a online game server. I use the tcp.analsyis.ack_rtt to extract information for analysis. Here is my command line: tshark -Tfields -E header=y -e frame.number -e frame.time_relative -e ip.src -e tcp.flags -e tcp.analysis.acks_frame -e tcp.analysis.ack_rtt -r tcp.analysis.ack_rtt.pcap > tcp.analysis.ack_rtt.txt The attached capture file is a short extraction of the TCP dialog between the 2 end points (user 192.168.1.102 and server 202.123.175.210). The monitoring point was at the user side made possible by inserting an Extreme switch with a mirroring port configured. The capturing machine is an IBM X61 notebook running WinXP. I understand that I should use the tcp.analysis.ack_rtt for the direction 202.123.175.210->192.168.1.102 (i.e. ip.src == 202.123.175.210) for the measure of the rtt of the communication link. However, to my surprise, I get extraordinary short measure for some specific cases. For example, frame 13, 16, 39, 52. Can any expert help to explain what is going on, or do I misunderstanding something? If my concept is right, would it be something wrong with the capturing environment? Regards, Francis Chan =========== output from tshark ================ frame frame.time ip.src tcp.flags tcp.analysis.acks_frame tcp.analysis.ack_rtt 1 0 202.123.175.210 0x18 2 0.139957 192.168.1.102 0x10 1 0.139957 3 0.331267 202.123.175.210 0x18 2 0.19131 4 0.44172 192.168.1.102 0x10 3 0.110453 5 0.510189 202.123.175.210 0x18 4 0.068469 6 0.643078 192.168.1.102 0x10 5 0.132889 7 0.813951 202.123.175.210 0x10 6 0.170873 8 0.823548 202.123.175.210 0x10 9 0.823555 192.168.1.102 0x10 8 0.000007 10 0.903789 202.123.175.210 0x10 9 0.080234 11 0.913734 202.123.175.210 0x10 12 0.913891 192.168.1.102 0x10 11 0.000157 13 0.92357 202.123.175.210 0x10 12 0.009679 14 0.993972 202.123.175.210 0x10 15 0.993979 192.168.1.102 0x10 14 0.000007 16 1.003893 202.123.175.210 0x10 15 0.009914 17 1.004383 202.123.175.210 0x18 18 1.004389 192.168.1.102 0x10 17 0.000006 19 1.30019 202.123.175.210 0x18 18 0.295801 20 1.447811 192.168.1.102 0x10 19 0.147621 21 1.580027 202.123.175.210 0x18 20 0.132216 22 1.749584 192.168.1.102 0x10 21 0.169557 23 1.820187 202.123.175.210 0x18 22 0.070603 24 1.950755 192.168.1.102 0x10 23 0.130568 25 2.220194 202.123.175.210 0x18 24 0.269439 26 2.353105 192.168.1.102 0x10 25 0.132911 27 2.420021 202.123.175.210 0x18 26 0.066916 28 2.554268 192.168.1.102 0x10 27 0.134247 29 2.756383 192.168.1.102 0x18 30 2.757533 192.168.1.102 0x18 31 2.820148 202.123.175.210 0x10 32 2.843951 202.123.175.210 0x10 33 2.853885 202.123.175.210 0x10 34 2.857996 192.168.1.102 0x10 33 0.004111 35 2.863548 202.123.175.210 0x10 36 2.880125 202.123.175.210 0x10 30 0.122592 37 2.953777 202.123.175.210 0x10 38 2.954035 192.168.1.102 0x10 37 0.000258 39 2.963877 202.123.175.210 0x10 38 0.009842 40 2.972585 202.123.175.210 0x18 41 2.972592 192.168.1.102 0x10 40 0.000007 42 3.051291 202.123.175.210 0x18 41 0.078699 43 3.157789 192.168.1.102 0x10 42 0.106498 44 3.231312 202.123.175.210 0x18 43 0.073523 45 3.334778 192.168.1.102 0x18 44 0.103466 46 3.334784 192.168.1.102 0x18 47 3.338861 192.168.1.102 0x18 48 3.400308 202.123.175.210 0x18 49 3.430135 202.123.175.210 0x10 47 0.091274 50 3.444544 202.123.175.210 0x10 51 3.444984 192.168.1.102 0x10 50 0.00044 52 3.446886 202.123.175.210 0x10 51 0.001902 53 3.513886 202.123.175.210 0x10 54 3.513895 192.168.1.102 0x10 53 0.000009 55 3.52455 202.123.175.210 0x10 54 0.010655 56 3.533878 202.123.175.210 0x10 57 3.533885 192.168.1.102 0x10 56 0.000007 58 3.583883 202.123.175.210 0x10 57 0.049998 59 3.593878 202.123.175.210 0x10 60 3.593888 192.168.1.102 0x10 59 0.00001 Experience the true Internet. Right on your mobile. Right now. www.smartone-vodafone.com ************************************ E-mail Disclaimer ************************************ This e-mail message (together with any attachments) is confidential to the addressee and may also be privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. Please also notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free. The sender and the entity through which this message is sent therefore do not accept liability for errors or omissions as contained in the message and any spreading of viruses as a result of Internet transmission. Any opinions contained in this message are those of the sender personally and would not bind any entity unless otherwise clearly stated and with the authority of the sender duly verified. *******************************************************************************************
- Follow-Ups:
- Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- From: Martin Visser
- Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Prev by Date: Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Next by Date: [Wireshark-users] SIGTRAN M3UA ver2 DLL plugins
- Previous by thread: Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Next by thread: Re: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT
- Index(es):