Wireshark-users: Re: [Wireshark-users] Comparing two pcap files for latency
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Tue, 1 Feb 2011 10:20:31 +1100
As Guy has said, you can't use the absolute times unless you can
ensure the machines at each end are millisecond synchronised.

The best way to measure network latency is to look at time between
some form of request leaving and it's related response being returned.
The most elementary one that people use of course is ping, or ICMP
echo.

However if you haven't injected ICMP you probably want to look for
built-in mechanisms. The one I use is the SYN request and the SYN-ACK
response. As this is handled in the IP stack within the kernel on all
OSes, there will be very little delay attributable due to context
switching. (As you have captured traffic at both ends you can probably
prove this). ICMP echo is also done in the kernel.

Of course if you are not using ICMP or TCP you may need to look at
other request/responses such as DNS or SIP that hopefully have only a
small amount of processing time.

One other thing when using TCP is the TCP timestamp option. These are
recorded in the header options. Depending on your operating system you
may need to enable these as a privileged admin.

Regards, Martin

MartinVisser99@xxxxxxxxx



On 1 February 2011 09:57,  <jobhunts02@xxxxxxx> wrote:
> Yes, I am interested in the time spent
> between the two machines.
>
>
> On Jan 31, 2011, at 12:51 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
>>
>> On Jan 31, 2011, at 9:19 AM, jobhunts02@xxxxxxx wrote:
>>
>>> Is there a program available that will compare two pcap files and calculate the latency of specific packets, assuming that the clocks on the two machines that created the pcap files are synchronized?
>>
>> By "calculate the latency" do you mean that the packets in question are going between two particular machines, and the two captures were done on those machines, and, for each of those packets, you want the difference between the time stamp for that packet in the capture done on the machine that sent the packet and the time stamp for that packet in the capture done on the machine that received the packet?
>>
>> I don't know whether such a program exists - and the accuracy of the time delta will depend on the accuracy of the time stamps and, by default, there are a number of reasons why the time stamp might not be as accurate as you'd like (low resolution of the timer used by the OS to time-stamp the packets, delays between the point at which a packet being sent is time-stamped and the point at which the packet is put on the wire, delays between the point at which a packet is received and the point at which it's time-stamped).
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>