Wireshark-users: Re: [Wireshark-users] Question about seeing Latency in TCP conversations
From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Thu, 5 Jan 2012 15:49:54 +0100
You have to be a little careful when using this though, as Wireshark sometimes miscalculates this in the prescence of Duplicate ACKs. The best way to use it (taking out effects of the server processing delay), is during the initial handshake. So what I do is filter for "tcp.flags == 0x12" (which is the SYN/ACK) and plot tcp.analysis.ack_rtt or add it as a column.

How could one do this if the tcpdump is taken from a spanned switch-port instead of captured onsite at the client? In this case, I guess a better approximation for wire-latency would be the timestamp difference between the first SYN packet (client to server) and last ACK packet (client to server) in the 3-way handshake. An extra imposed inaccuracy would be to the processing of the TCP/IP stack at the client in addition to the server. I guess not, but is there any way to plot this timestamp difference in an IO graph in Wireshark? Or are there other tools that can spit this in text-tables?

Cheers,
Andrej